-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 12 Nov 2024 15:06:10 +0100 Source: postgresql-15 Binary: libecpg-compat3 libecpg-compat3-dbgsym libecpg-dev libecpg-dev-dbgsym libecpg6 libecpg6-dbgsym libpgtypes3 libpgtypes3-dbgsym libpq-dev libpq5 libpq5-dbgsym postgresql-15 postgresql-15-dbgsym postgresql-client-15 postgresql-client-15-dbgsym postgresql-plperl-15 postgresql-plperl-15-dbgsym postgresql-plpython3-15 postgresql-plpython3-15-dbgsym postgresql-pltcl-15 postgresql-pltcl-15-dbgsym postgresql-server-dev-15 Architecture: s390x Version: 15.9-0+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: s390x Build Daemon (zani) Changed-By: Christoph Berg Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 15 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-15 - The World's Most Advanced Open Source Relational Database postgresql-client-15 - front-end programs for PostgreSQL 15 postgresql-plperl-15 - PL/Perl procedural language for PostgreSQL 15 postgresql-plpython3-15 - PL/Python 3 procedural language for PostgreSQL 15 postgresql-pltcl-15 - PL/Tcl procedural language for PostgreSQL 15 postgresql-server-dev-15 - development files for PostgreSQL 15 server-side programming Changes: postgresql-15 (15.9-0+deb12u1) bookworm-security; urgency=medium . * New upstream version 15.9. . + Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) . If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. . The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976) . + Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) . An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. . The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977) . + Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane) . The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role'), it saw none even when it should see something else. . The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978) . + Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) . The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, trusted PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. . The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979) Checksums-Sha1: 160a6806628d4a36c5c71040fa5b85d1d6b902a9 16500 libecpg-compat3-dbgsym_15.9-0+deb12u1_s390x.deb 363b6f5bf5d838460313d4df91d3087fad5191ee 17308 libecpg-compat3_15.9-0+deb12u1_s390x.deb 9a6496a4e40541177526c543b72108a426b43629 213812 libecpg-dev-dbgsym_15.9-0+deb12u1_s390x.deb e4ba8e39b25f911eb5ee24b509a0b87df3c753ff 280480 libecpg-dev_15.9-0+deb12u1_s390x.deb 491035311e0db64d3910b8b4a6e40e550e53df91 112312 libecpg6-dbgsym_15.9-0+deb12u1_s390x.deb 4155902146f6f51394171683516b805463d98695 59076 libecpg6_15.9-0+deb12u1_s390x.deb 3f7757fcc7863ab75645e0defebcca981e697f8f 88360 libpgtypes3-dbgsym_15.9-0+deb12u1_s390x.deb 90e0bf527d1730039f5b5c474a37b424bc7ce7f1 44156 libpgtypes3_15.9-0+deb12u1_s390x.deb 1a9a4a853e44a4600b7672bfa9cba967c22a58df 137936 libpq-dev_15.9-0+deb12u1_s390x.deb 772d783aa941f40d73bb1160b16810ca7d1279bb 272508 libpq5-dbgsym_15.9-0+deb12u1_s390x.deb 7bfcb2499b8f53fadeae9dba076d4c958b7eac7b 179820 libpq5_15.9-0+deb12u1_s390x.deb 489111916f6af1ea68195c02a772622b5aaa80bb 15380004 postgresql-15-dbgsym_15.9-0+deb12u1_s390x.deb 295e7a2b964c520642abcdbb438eae689c45e4f8 15924 postgresql-15_15.9-0+deb12u1_s390x-buildd.buildinfo 36021cae60e4ec777fb9c7ee6f2e4219d83a6480 5637372 postgresql-15_15.9-0+deb12u1_s390x.deb 408cefe9efa931c7e2a3daa3673c87d33b7aaec9 2237708 postgresql-client-15-dbgsym_15.9-0+deb12u1_s390x.deb 92f9d77b41f86a3f96ac2e31ac40a8c398cbf138 1643232 postgresql-client-15_15.9-0+deb12u1_s390x.deb 09c1280f62b60a3b3b247bfe41394e62fd95b8b5 180476 postgresql-plperl-15-dbgsym_15.9-0+deb12u1_s390x.deb 1c2a817bd5bc519b8699bc546afd0c4f2cf57bc3 65644 postgresql-plperl-15_15.9-0+deb12u1_s390x.deb 064628a13fe083d72ebfb79e166ea91b0e020a49 170104 postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_s390x.deb 9b18b6866f26f5fe62db0f9389698edc76f58d66 88880 postgresql-plpython3-15_15.9-0+deb12u1_s390x.deb f692d73e77ed34fd9c8ad9a0ab9b3b3c9deb8de4 77708 postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_s390x.deb ae9b0c1270bf3a1c62343c99a4d34d0c7beb6e7b 41312 postgresql-pltcl-15_15.9-0+deb12u1_s390x.deb e137198f920a80ee0176d531a189c10068602156 1137736 postgresql-server-dev-15_15.9-0+deb12u1_s390x.deb Checksums-Sha256: 47d1d6bcfa89a17969f5c30f36b0b4305354dbd3b9a21eb8abbb57ea26581b1d 16500 libecpg-compat3-dbgsym_15.9-0+deb12u1_s390x.deb b6f66eb1322d251da70be5af6b4482b4eb5759ac782c783cc2d2c1df869e92b8 17308 libecpg-compat3_15.9-0+deb12u1_s390x.deb 92a4d5575498b9aa043301e47354fd7864bb7f1ee84603e53e88680210822e73 213812 libecpg-dev-dbgsym_15.9-0+deb12u1_s390x.deb 3e797924f43db8ab8d2e015df4594cac6d7f54914dbc14d83e74f28efeb5f6d5 280480 libecpg-dev_15.9-0+deb12u1_s390x.deb 6f3ce30719017019eb21b317593717febf6ba59fb1460afab8ae7964368b6954 112312 libecpg6-dbgsym_15.9-0+deb12u1_s390x.deb 07ceaeb93124833961fbfaeb8e2d9dd96c1382e409b156f9b2fb4b9fdc41ae63 59076 libecpg6_15.9-0+deb12u1_s390x.deb 367e4bd889d8253dd08db11920b81b92237276f78c11aa83c8bde4c4721f7a56 88360 libpgtypes3-dbgsym_15.9-0+deb12u1_s390x.deb afa50f7f0d7a9a22856f807be193af4d4524d0b18abe8e700a4b4705776d13c8 44156 libpgtypes3_15.9-0+deb12u1_s390x.deb 455ca871cf8b9cd93148671df6a0e3d39c67ff70647dad3cebe5cc99994fe465 137936 libpq-dev_15.9-0+deb12u1_s390x.deb 24dcb5a2ca08d246562d8a9eef8bedf1b1d4ea39a6424a661d6f63d9ae3299f4 272508 libpq5-dbgsym_15.9-0+deb12u1_s390x.deb a837badd666c75dc1610624eff596ef91910811b677cc6d078840e760623d6d4 179820 libpq5_15.9-0+deb12u1_s390x.deb b963a22414617fcbf1654690331d90aa0b3eed94fd22626effd2ae7659e3a48e 15380004 postgresql-15-dbgsym_15.9-0+deb12u1_s390x.deb 2da077500af809b43a62b1f54c2db7abc794bbe5d532a2dff633959f1d88ddd7 15924 postgresql-15_15.9-0+deb12u1_s390x-buildd.buildinfo a487b84dbb39a199608b3ba1e86b53e2b9b77685757f5fbdf3376797a6ad8eb3 5637372 postgresql-15_15.9-0+deb12u1_s390x.deb 55e146b019927c9693808b3837e213c7def40d1a6f9e1e2c63e69793f98bd973 2237708 postgresql-client-15-dbgsym_15.9-0+deb12u1_s390x.deb 550e382651bb6630d6f01b7522de88ea77a52fc2c9265692d42df2c51550c37f 1643232 postgresql-client-15_15.9-0+deb12u1_s390x.deb 3a1133a87842bed17a246e40b1e09da1fe48ac9f92de3439ff627c6c13be1dc8 180476 postgresql-plperl-15-dbgsym_15.9-0+deb12u1_s390x.deb 20d371b3cad8378aec835f065576fea8207fd60ac726200b0532398a4504db2f 65644 postgresql-plperl-15_15.9-0+deb12u1_s390x.deb 13eb3395263a6b0d9965d7d7dae0b65b087f5fbf9f8c76da1ad6ade623eec635 170104 postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_s390x.deb bcfbd503f2c0ef8c9793f396bcd8f14768edf180651153f3ce167759e8995f0a 88880 postgresql-plpython3-15_15.9-0+deb12u1_s390x.deb f550a6a4e86a44e587acc5b4068073a93f5e20d6d9c34dfe715dcfe7d7031d09 77708 postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_s390x.deb 417c474e72d185057267e69f9d3e998d3ae05bceb590b4ae0890069464b1f7c8 41312 postgresql-pltcl-15_15.9-0+deb12u1_s390x.deb 1a8ff5ad65f662c3b94afab31102ca043277861aed3346fc4b8f620727765c31 1137736 postgresql-server-dev-15_15.9-0+deb12u1_s390x.deb Files: 759f34415db7fc0d15e9dc8dbec0e200 16500 debug optional libecpg-compat3-dbgsym_15.9-0+deb12u1_s390x.deb 5a01d9f920fc229f6d5eb35119cd878f 17308 libs optional libecpg-compat3_15.9-0+deb12u1_s390x.deb b46b8412d420693d1425f41f331a73ee 213812 debug optional libecpg-dev-dbgsym_15.9-0+deb12u1_s390x.deb 616d5f16c7ddcbad9d0c35f674055b80 280480 libdevel optional libecpg-dev_15.9-0+deb12u1_s390x.deb 99524c0a7daae4949292b243493d250f 112312 debug optional libecpg6-dbgsym_15.9-0+deb12u1_s390x.deb 778a12929b91e2cb38904f5de991e454 59076 libs optional libecpg6_15.9-0+deb12u1_s390x.deb 2b1bcf977506e446a9727b00451e0123 88360 debug optional libpgtypes3-dbgsym_15.9-0+deb12u1_s390x.deb a1afdc741fefa7896815380ea63a341d 44156 libs optional libpgtypes3_15.9-0+deb12u1_s390x.deb 7a3183604eee926b95e88f28e4539f82 137936 libdevel optional libpq-dev_15.9-0+deb12u1_s390x.deb dc71e2395d17b343bc5ccb57af468c68 272508 debug optional libpq5-dbgsym_15.9-0+deb12u1_s390x.deb d9c46ca029f0bde877df2f440a43ae2c 179820 libs optional libpq5_15.9-0+deb12u1_s390x.deb bc2b53420a05603f6c9df77889251298 15380004 debug optional postgresql-15-dbgsym_15.9-0+deb12u1_s390x.deb 1fab9bb683856eca4fe266b623a24132 15924 database optional postgresql-15_15.9-0+deb12u1_s390x-buildd.buildinfo 38c5bfda046d37fc171b4a5fa7c16b6b 5637372 database optional postgresql-15_15.9-0+deb12u1_s390x.deb 0220cf5d4974934a2c69d48503d7f681 2237708 debug optional postgresql-client-15-dbgsym_15.9-0+deb12u1_s390x.deb e0e1845b7d2a56babfceca91562bb267 1643232 database optional postgresql-client-15_15.9-0+deb12u1_s390x.deb 8253e8873008d1c24ae136e0833987a3 180476 debug optional postgresql-plperl-15-dbgsym_15.9-0+deb12u1_s390x.deb 200e6bbb6e1af34bc6ce8bdba3b971ca 65644 database optional postgresql-plperl-15_15.9-0+deb12u1_s390x.deb 8287428092e00075952f5d702587a743 170104 debug optional postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_s390x.deb 3fbbbf9557472008593ac8a7d4b85658 88880 database optional postgresql-plpython3-15_15.9-0+deb12u1_s390x.deb 173b317e5d1388fc93c046b30a4e113d 77708 debug optional postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_s390x.deb 7e61c0af077233c8e2b150f1517e7b71 41312 database optional postgresql-pltcl-15_15.9-0+deb12u1_s390x.deb 7a418b938aec1a9f18270522520237d6 1137736 libdevel optional postgresql-server-dev-15_15.9-0+deb12u1_s390x.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZTC4/c20pi1/n7UBUhVQ83ojQ7QFAmczd6QACgkQUhVQ83oj Q7T5pRAAu071o1PNm/cnMvmLoIm/owLfDyhH4rEZF3ek8TeswFYCNK7pHWvtR5+v CP3SETJgyWFYgQ1CfLUshObSJyEsuuZqsOr+SGPutWI/eTgHgueQvc3fvRCeyMAs NhBog1lv0oH2Zrr5Nxg486Gasu503OgAAHH2UNNDMyarnlkDH6IB8ORkiLFLeTeI ZvADi0ci7wt8cFdE8SJ4t+EXYYPbuRlDlaxSzobE0Yjf+dCKBaPz41Uw4h30Q3RF 6K2kD0mRLivpATx07qni/WP6OlwvkjHUVlRMvZ9DMijsisBb5sfg3QzckLs1PnNU WgRVzkSUN43bBz10cFHE06TEFmUcxsrpfXmIWYnRhV2k6TagFf0QY78xwSKxJVXP iplyIg3fIiwFBxaEr7ZrDgNBmSw07xecvPTwgS1g9zumby+h6W5G+QHGTpKEyqpy 0zHkF3U8U+UjefYMMx0uNeqxFcmZkTWouuUX9VARMv2LzZpJ8qZnVKf5hE9lRVvX 8K8eyW2eNEMsaS70BsHKQtqEVO1w9Fp4UMe7eyxQE/0OdAjfberuJOi1INECd16m KHgUDtD4Gh/crEqAFyuRz1c2HhK2cBnkfDz9jF5fQCnKCEqf6R8ixvmPe7acRQO/ Ja5GtX85Qb62TXxg7+LyZS70jSV4/sWLirvfpQkFHCweSNsO4CQ= =g61e -----END PGP SIGNATURE-----