-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 12 Nov 2024 15:06:10 +0100 Source: postgresql-15 Binary: libecpg-compat3 libecpg-compat3-dbgsym libecpg-dev libecpg-dev-dbgsym libecpg6 libecpg6-dbgsym libpgtypes3 libpgtypes3-dbgsym libpq-dev libpq5 libpq5-dbgsym postgresql-15 postgresql-15-dbgsym postgresql-client-15 postgresql-client-15-dbgsym postgresql-plperl-15 postgresql-plperl-15-dbgsym postgresql-plpython3-15 postgresql-plpython3-15-dbgsym postgresql-pltcl-15 postgresql-pltcl-15-dbgsym postgresql-server-dev-15 Architecture: armhf Version: 15.9-0+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: arm Build Daemon (arm-conova-01) Changed-By: Christoph Berg Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 15 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-15 - The World's Most Advanced Open Source Relational Database postgresql-client-15 - front-end programs for PostgreSQL 15 postgresql-plperl-15 - PL/Perl procedural language for PostgreSQL 15 postgresql-plpython3-15 - PL/Python 3 procedural language for PostgreSQL 15 postgresql-pltcl-15 - PL/Tcl procedural language for PostgreSQL 15 postgresql-server-dev-15 - development files for PostgreSQL 15 server-side programming Changes: postgresql-15 (15.9-0+deb12u1) bookworm-security; urgency=medium . * New upstream version 15.9. . + Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) . If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. . The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976) . + Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) . An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. . The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977) . + Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane) . The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role'), it saw none even when it should see something else. . The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978) . + Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) . The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, trusted PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. . The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979) Checksums-Sha1: a29830d9ff203cfff46e39b7a03cb2bedc945a92 16664 libecpg-compat3-dbgsym_15.9-0+deb12u1_armhf.deb a6d3f76bdf44eb95035e433fc3d7f7d71e9eb561 16292 libecpg-compat3_15.9-0+deb12u1_armhf.deb d62d1bcd1d7d29734dad049dc53c9e9431f00ff7 235656 libecpg-dev-dbgsym_15.9-0+deb12u1_armhf.deb fa8453449b7ab40386cd787795703bade5d4a0fe 278212 libecpg-dev_15.9-0+deb12u1_armhf.deb aa52e1b04b83b339926d278f3c5638beebe7bf9d 111648 libecpg6-dbgsym_15.9-0+deb12u1_armhf.deb d0bf3bb93482dee132ae57d7c5345deb4f3a90c0 53980 libecpg6_15.9-0+deb12u1_armhf.deb fa047d9a50453c9e1bd8a2bd309658edf6a60a7e 88576 libpgtypes3-dbgsym_15.9-0+deb12u1_armhf.deb e6ee7b5b8484394dde572bcd8bf3c0c601adff44 40868 libpgtypes3_15.9-0+deb12u1_armhf.deb b5bf8bac6e1cfe92dd080235e0975831b05e7bfa 132984 libpq-dev_15.9-0+deb12u1_armhf.deb 3625759d8bccffb453c7ab0fc8b269cc9c7bd15f 273560 libpq5-dbgsym_15.9-0+deb12u1_armhf.deb 5bf533501b544eccf72c7765e909f5859f3b6a7c 170952 libpq5_15.9-0+deb12u1_armhf.deb 15a62e4eab5755b0495efeed5158ade6189f3dd2 16185020 postgresql-15-dbgsym_15.9-0+deb12u1_armhf.deb 9a4001e01905deb2e26256950c113f8e83ad1e2b 16837 postgresql-15_15.9-0+deb12u1_armhf-buildd.buildinfo d1114eebe64cb3df6d9de128cd7a379016e30dc0 16066736 postgresql-15_15.9-0+deb12u1_armhf.deb b16191e2a1456bcdbaa7f1e0ddad09a8fc43b963 2242340 postgresql-client-15-dbgsym_15.9-0+deb12u1_armhf.deb eb312c14ecb5098e5fae1872db15186d70d39c96 1618976 postgresql-client-15_15.9-0+deb12u1_armhf.deb 12d6fe4a001389e7e89de28f6586a2977ff2597d 182848 postgresql-plperl-15-dbgsym_15.9-0+deb12u1_armhf.deb 925e359afcd1aa67098e368dd18c734101245018 87336 postgresql-plperl-15_15.9-0+deb12u1_armhf.deb c571f57e8f9770619c5f2ad78da5fd002e09d2f3 171636 postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_armhf.deb bdc7ea309e2713a5918229763951b7f77190fdbe 105488 postgresql-plpython3-15_15.9-0+deb12u1_armhf.deb 19d0908711c830b78f52bee3cdd973afcac99fe5 78260 postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_armhf.deb 759fdfc7bab142cfcb5f880f178afb7bf39e0c17 40120 postgresql-pltcl-15_15.9-0+deb12u1_armhf.deb 93a250adfdf03a10370f9803574ea7a09040cd81 1130640 postgresql-server-dev-15_15.9-0+deb12u1_armhf.deb Checksums-Sha256: a1242a8fd84331d46be193c5374695f6416aad40f58e422212ff6f6ddde52b21 16664 libecpg-compat3-dbgsym_15.9-0+deb12u1_armhf.deb 08c5294598ac4be7199fca767c8cdc2eb656335c70e890ea809acef93a82b464 16292 libecpg-compat3_15.9-0+deb12u1_armhf.deb f8c723d8b9881ffaa0c035b9bebb8cb688c8ef6ffb8d6d893b99d8e91db9683c 235656 libecpg-dev-dbgsym_15.9-0+deb12u1_armhf.deb f6d9aea4022834a545d7725f4e22f02ce7f0bafb80833e59ff513ee6a2115301 278212 libecpg-dev_15.9-0+deb12u1_armhf.deb fa0e6f8bace3295d122efc38603de7fdb2f0082aaf1842bb552bde77348d0ecd 111648 libecpg6-dbgsym_15.9-0+deb12u1_armhf.deb febb2b3a8732f1d34cf71bf4d08033a9eadfd99d17299bd3ed26fa77a4a87963 53980 libecpg6_15.9-0+deb12u1_armhf.deb 64b4abcbb2982fbf08b93fca7d0d96fe60fc1630251f333998dccf3d3dd04f3b 88576 libpgtypes3-dbgsym_15.9-0+deb12u1_armhf.deb 0d566a7f9e3dbd6c10973877e7075f3818269e5c3bf39bcb324740e159a7ae65 40868 libpgtypes3_15.9-0+deb12u1_armhf.deb fdd27374d61ae801b67c90cdb1aace3c4c9a6a1ea65c0f1eb148178e935c9017 132984 libpq-dev_15.9-0+deb12u1_armhf.deb 97b0a87ae540a6a4bc13ec40a631b40d8f5910a3655dd190c9b993a9f32724ff 273560 libpq5-dbgsym_15.9-0+deb12u1_armhf.deb 54e628db8bed5b988b939a63c50fa4a53a646f1ac4cdc8aa0df99acc97bd4f2c 170952 libpq5_15.9-0+deb12u1_armhf.deb f25d59fd3c17a6d3ed8dcd68859231e441d23c7bbfe051d8ef10d97158d1f292 16185020 postgresql-15-dbgsym_15.9-0+deb12u1_armhf.deb 206e69380dc80e28f91de64d00b580f0200116c1b01af0a229d46bd01837e704 16837 postgresql-15_15.9-0+deb12u1_armhf-buildd.buildinfo e80e35cf89499cb6317f195bc71aa06eaa4d4f55edaf64c42aa21eeea7b2ca13 16066736 postgresql-15_15.9-0+deb12u1_armhf.deb ebb2bfb57cb5fc9be3d6e726d751bfde954497db37f0181d0e0b1f540d05b1a8 2242340 postgresql-client-15-dbgsym_15.9-0+deb12u1_armhf.deb f9bc0bf3af5ca0476b061b01fa8e531cd3c8ff1ed801265c8f2714b6600c6fb7 1618976 postgresql-client-15_15.9-0+deb12u1_armhf.deb 215956d5dbea28715f8f9ab43d3870381704bfce92d49af60b7347f6556d9d33 182848 postgresql-plperl-15-dbgsym_15.9-0+deb12u1_armhf.deb 81beb40fc84dc76834e053c76b7518a7acf0c65c467315d5fe49382cb7c1b58a 87336 postgresql-plperl-15_15.9-0+deb12u1_armhf.deb 21e44f0f65f1b2635fa16ec642add1fcfbbba1e17d33d8546bcf840348b67f6a 171636 postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_armhf.deb 078ebdf71e89a18015e5c13ea350b6b3350a0547b5702a61f659bb7d162a7b91 105488 postgresql-plpython3-15_15.9-0+deb12u1_armhf.deb 62e57bb13e4173dc04f6ea83434bef51012467622c861f36281ae0f99eff2004 78260 postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_armhf.deb 401e77d649880622c5980d6c938188820bde5946eba586025ac49244528b0313 40120 postgresql-pltcl-15_15.9-0+deb12u1_armhf.deb c87f8a93d5be2cd4e483f486cc583ca9bfe6246d554572290b2446670e3bf790 1130640 postgresql-server-dev-15_15.9-0+deb12u1_armhf.deb Files: 3369ceec9ed3957df673ec2c0df10812 16664 debug optional libecpg-compat3-dbgsym_15.9-0+deb12u1_armhf.deb 3b07e0503bb34259bf495a90f88eacad 16292 libs optional libecpg-compat3_15.9-0+deb12u1_armhf.deb 60c7d264fc0e7002a77c37df6a675f85 235656 debug optional libecpg-dev-dbgsym_15.9-0+deb12u1_armhf.deb efc4bc529a96c8c8baa7713e4d71907c 278212 libdevel optional libecpg-dev_15.9-0+deb12u1_armhf.deb 60e3e17a5fa835962fdc08ff7860b779 111648 debug optional libecpg6-dbgsym_15.9-0+deb12u1_armhf.deb c5a5703114ebce001ed6448802c8c736 53980 libs optional libecpg6_15.9-0+deb12u1_armhf.deb 0de2222d002bd56d55be847385676f6a 88576 debug optional libpgtypes3-dbgsym_15.9-0+deb12u1_armhf.deb 270bc10e1e644e2799ceb1a30d34ef09 40868 libs optional libpgtypes3_15.9-0+deb12u1_armhf.deb 178f737ce449309d4a5edf999b508a6c 132984 libdevel optional libpq-dev_15.9-0+deb12u1_armhf.deb 282adb81959c249ade970a47f20bd55c 273560 debug optional libpq5-dbgsym_15.9-0+deb12u1_armhf.deb 29a5f8820efd6da00963df7769a80532 170952 libs optional libpq5_15.9-0+deb12u1_armhf.deb c6fef547788e7d009b5321f7ab9c0274 16185020 debug optional postgresql-15-dbgsym_15.9-0+deb12u1_armhf.deb f66651bd7a72c57fbe1b6f0307b45bb8 16837 database optional postgresql-15_15.9-0+deb12u1_armhf-buildd.buildinfo 8a0d686ec2ff6022171386e2c91b442b 16066736 database optional postgresql-15_15.9-0+deb12u1_armhf.deb 30dfdf917b5f30fbad54888cd424556c 2242340 debug optional postgresql-client-15-dbgsym_15.9-0+deb12u1_armhf.deb 70dbcf46d947c8b0ed33db107ae693fc 1618976 database optional postgresql-client-15_15.9-0+deb12u1_armhf.deb e770b5b38c876e2cc8196b8dedf17890 182848 debug optional postgresql-plperl-15-dbgsym_15.9-0+deb12u1_armhf.deb e2398b9a7d0b1f7b7b8af05b2765a165 87336 database optional postgresql-plperl-15_15.9-0+deb12u1_armhf.deb fc2bc0d0a0951356ce0c9b11a422ea97 171636 debug optional postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_armhf.deb 7622306a6359f325325eb77804e4d32c 105488 database optional postgresql-plpython3-15_15.9-0+deb12u1_armhf.deb b38e8ee6a810bea3f179daef480d804a 78260 debug optional postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_armhf.deb c233433ecb2f1309e4ece675058737f5 40120 database optional postgresql-pltcl-15_15.9-0+deb12u1_armhf.deb 447f36d41cc2ca1d69a3181c9c242346 1130640 libdevel optional postgresql-server-dev-15_15.9-0+deb12u1_armhf.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEegRwmIwj8f99iF4m4CwlMGxHD8UFAmczepoACgkQ4CwlMGxH D8VJ6xAA8a6eE2Fe7kTCiUw/PH+KMLHBFjN80yCBe/Q1MeSnLXZYUm0H5CFPbJOv iPim82jQAQ/UPvSpJMBl+uAaox7sPxWrNfisfqZX/O38FDvrAmVij7AxjCMgHyXa TcKG7BUzzNG65+lmDfZTcgsoBzJhYIL2/FxESZpZo4ZZSRDM5QMfVX28PUW1xJkP 0W7oW/qEoIKxJI6Up6AcsKgSNxso17Pt3xjxETPSGho6r8fWJCu4yiPeS42te0Tt Pby7fPnkyW1L5iEwKrB/KOPHja/+5TfAFh8oQcSMiu5WNabaYfG5G8QosmC80IhH +du01fFYUU44kxn1ICl7twszUJqpmTQpEptQOwdqhVF4H9mgG27/sS6f3ZNvKeUi FeHIC5qven/0MWafliK/B4Q/uD79uYvqV8Y7ZV7XfT+iDXmurOitIWgtvXG9R8hW Ki0uOTq5PliubfKpaPsi+Iw4sd/Zevc14f87icZ3TMmjSfsmd4wO9l1BOEh7coaW VyiFzrTgFkRNAmrHko09AVbG9/kgJFbs1rRG3mV0EebIe3DaYs4lD5UH6QH9vg/W 8hc/BZNDJVUVoMv6CsySfNWUdTZ0YET27JdZq/1TVZX7CXoSforJqaY51uw8k9wd Pvfnh/qIUkf7h42RRHcaBuzKdRsr9mz8rVU0xut8i6qKYJj/GSs= =bioF -----END PGP SIGNATURE-----