-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 12 Nov 2024 15:06:10 +0100 Source: postgresql-15 Binary: libecpg-compat3 libecpg-compat3-dbgsym libecpg-dev libecpg-dev-dbgsym libecpg6 libecpg6-dbgsym libpgtypes3 libpgtypes3-dbgsym libpq-dev libpq5 libpq5-dbgsym postgresql-15 postgresql-15-dbgsym postgresql-client-15 postgresql-client-15-dbgsym postgresql-plperl-15 postgresql-plperl-15-dbgsym postgresql-plpython3-15 postgresql-plpython3-15-dbgsym postgresql-pltcl-15 postgresql-pltcl-15-dbgsym postgresql-server-dev-15 Architecture: amd64 Version: 15.9-0+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) Changed-By: Christoph Berg Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 15 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-15 - The World's Most Advanced Open Source Relational Database postgresql-client-15 - front-end programs for PostgreSQL 15 postgresql-plperl-15 - PL/Perl procedural language for PostgreSQL 15 postgresql-plpython3-15 - PL/Python 3 procedural language for PostgreSQL 15 postgresql-pltcl-15 - PL/Tcl procedural language for PostgreSQL 15 postgresql-server-dev-15 - development files for PostgreSQL 15 server-side programming Changes: postgresql-15 (15.9-0+deb12u1) bookworm-security; urgency=medium . * New upstream version 15.9. . + Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) . If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. . The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976) . + Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) . An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. . The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977) . + Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane) . The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role'), it saw none even when it should see something else. . The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978) . + Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) . The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, trusted PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. . The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979) Checksums-Sha1: b6cc6b72a49a8e9495240d467c2b24d38180f14e 16644 libecpg-compat3-dbgsym_15.9-0+deb12u1_amd64.deb 4206eee0ffb4bd4603731d2aa2a4635d2375ea10 17548 libecpg-compat3_15.9-0+deb12u1_amd64.deb 050d3c1ca34e2ca811ce93639b9c294e2585addf 280696 libecpg-dev-dbgsym_15.9-0+deb12u1_amd64.deb df40b0c973d3c8302bb895a78a2d4e29b25e0cce 296052 libecpg-dev_15.9-0+deb12u1_amd64.deb f8e2a8465ca3af93dc83c384373bd7091aa0237a 113172 libecpg6-dbgsym_15.9-0+deb12u1_amd64.deb 55fa39a7acbfb5afcc7db73cf7321cbbbca5e044 61736 libecpg6_15.9-0+deb12u1_amd64.deb 340dbeb7545a0879f9e29a0722ca12205646bcd3 88272 libpgtypes3-dbgsym_15.9-0+deb12u1_amd64.deb 787582d75fcd4b8e7c4f90b663493d61d1c738b1 45308 libpgtypes3_15.9-0+deb12u1_amd64.deb 17fa89467609a05d59d8ec298c55c9828cb3444a 144628 libpq-dev_15.9-0+deb12u1_amd64.deb 677489c9a569c0535dc46b4331d5a6e02fdb86c1 276940 libpq5-dbgsym_15.9-0+deb12u1_amd64.deb ad8a211b636b674b0ce5fd15b572148a09419119 191108 libpq5_15.9-0+deb12u1_amd64.deb 9f870af36d04531c5b6e603ae42afcde87f6c4c0 16891660 postgresql-15-dbgsym_15.9-0+deb12u1_amd64.deb 96b0df1d17cc260f454be692fb5c0b7c4f2e562e 16984 postgresql-15_15.9-0+deb12u1_amd64-buildd.buildinfo 43c11a37e07dfd78a83802bd67cb05c23994f166 16824988 postgresql-15_15.9-0+deb12u1_amd64.deb 3e16e4079dd526331de13a209010781cf786a200 2419272 postgresql-client-15-dbgsym_15.9-0+deb12u1_amd64.deb b4466cc5690b04fe8b8d1e85360ff880b5b7e9a5 1704276 postgresql-client-15_15.9-0+deb12u1_amd64.deb 459dc55f003534a0eaba72ddb33f15e56ca3a938 186756 postgresql-plperl-15-dbgsym_15.9-0+deb12u1_amd64.deb 4c95e3f6f240cf4ec8422c2ced0320e5246b7a98 90736 postgresql-plperl-15_15.9-0+deb12u1_amd64.deb d9fe08ac262a8f1478137120634debcd5cefad48 178352 postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_amd64.deb 567516956d29fe62086c6750a0918994fcaca400 111816 postgresql-plpython3-15_15.9-0+deb12u1_amd64.deb 44c10ac4cbec76739425a93be0145eddaa26f6d6 79640 postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_amd64.deb dc0ad0b9152f51436adb6c43e2f642b24dc8cd93 42600 postgresql-pltcl-15_15.9-0+deb12u1_amd64.deb 57d372977f09adca94027bc39355f76bdafdf152 1146520 postgresql-server-dev-15_15.9-0+deb12u1_amd64.deb Checksums-Sha256: 62cce6559cd463a4dba3cd2d4fa94993f595fc83eec9ab5d43db352bd973e7ca 16644 libecpg-compat3-dbgsym_15.9-0+deb12u1_amd64.deb 2dfd915058b2961f9202713005ce10d21ac25276ab808d93ab7a6e3e041e88fc 17548 libecpg-compat3_15.9-0+deb12u1_amd64.deb 821d2794fd14fd6c0c14aa1806d73e5b9181880c4fa6055574394871566646f3 280696 libecpg-dev-dbgsym_15.9-0+deb12u1_amd64.deb 027c2b640cffe8bf80e2bd7643136f762bbb58635817b642d27411b6a06d3897 296052 libecpg-dev_15.9-0+deb12u1_amd64.deb 62f73e7a1af245dd27aa71e864a132f51aa0ae1f92b322c09eca3aa8ad93733a 113172 libecpg6-dbgsym_15.9-0+deb12u1_amd64.deb a2551b5c48f2f00a8e4315effd353c2fa574be053a29a86aadc5c10db3e7ea83 61736 libecpg6_15.9-0+deb12u1_amd64.deb 7e016b8eb0b0cb20e407ef73d6c7a25df2d662c943c2d1662efd5272e1cad165 88272 libpgtypes3-dbgsym_15.9-0+deb12u1_amd64.deb 0d75a74ec7b45a064c694d9de10812b975995886993cc59ed852c98262fb1d9e 45308 libpgtypes3_15.9-0+deb12u1_amd64.deb 62e413c87d8799afee34a5b1f0e730e78d37eee662a5d7f22b30b746ac7a1398 144628 libpq-dev_15.9-0+deb12u1_amd64.deb 249c3f2bfa7ef5735f415363aaca38416487f7576f18d8e357bc866217583e52 276940 libpq5-dbgsym_15.9-0+deb12u1_amd64.deb acb3ecb302137969d441b45731960d3987196a39e938393602c68e8a0532753d 191108 libpq5_15.9-0+deb12u1_amd64.deb 2ca2e82ff22fc221ada318fb8ed43ab1cffa9e62dc652e371f431e7ca65020a8 16891660 postgresql-15-dbgsym_15.9-0+deb12u1_amd64.deb b6d6bd8b291954ba5977c369975af994cc1ca724b3f22f1784e6f4acd89a9ea7 16984 postgresql-15_15.9-0+deb12u1_amd64-buildd.buildinfo 06363f712b9c3d53d6a449c9f8941b76133bc814a754c110d1ee59c6cb892e81 16824988 postgresql-15_15.9-0+deb12u1_amd64.deb 15f9db14687aaa79f4f070fbd9b0df00eaea74656b02c1001290e632dba81c22 2419272 postgresql-client-15-dbgsym_15.9-0+deb12u1_amd64.deb e7db42f561193dc7f671ebda444a72ae6b6768a93860613858a42c8e3742ce64 1704276 postgresql-client-15_15.9-0+deb12u1_amd64.deb 599c49c8c7b5cee86ce40626b793e86b0f14e3cebc95691cb3d36dd51ef43501 186756 postgresql-plperl-15-dbgsym_15.9-0+deb12u1_amd64.deb 873d84db5c0f2b1e922db2dae1d242fa2281bb642df19122ca881caa6e23dd09 90736 postgresql-plperl-15_15.9-0+deb12u1_amd64.deb 677b7ee4e688a34581cc59fc23f86d079ca0ff9f80d852a5a5d719f54c68b49b 178352 postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_amd64.deb 565b6079f43264fe9c12c1c3b3751098f235135bdb453225fedbef5dcc83faae 111816 postgresql-plpython3-15_15.9-0+deb12u1_amd64.deb 53de6632f2afad687cccdb342ea519d0fd7f2f9937f5fa6367fbc83f89a31cd5 79640 postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_amd64.deb c7b7897bf497f077224966607515f05a70f11aaaab32070d7157f3bc73ccbd1f 42600 postgresql-pltcl-15_15.9-0+deb12u1_amd64.deb 895fe4a5a3292a8b4364480e77762625bdf235234a8ecfc106271eec692e3cf5 1146520 postgresql-server-dev-15_15.9-0+deb12u1_amd64.deb Files: 5f36247f9ba671c54f745b7b30568511 16644 debug optional libecpg-compat3-dbgsym_15.9-0+deb12u1_amd64.deb 4fca50ff86b367c3fb5677bdfc2a69d4 17548 libs optional libecpg-compat3_15.9-0+deb12u1_amd64.deb d2a2411c047f0b5d9e69728fda5f0112 280696 debug optional libecpg-dev-dbgsym_15.9-0+deb12u1_amd64.deb d47e0cf691ce655dcd7ff3ee2cec979a 296052 libdevel optional libecpg-dev_15.9-0+deb12u1_amd64.deb 191a84a6242b3ebbba64fc9785965b6f 113172 debug optional libecpg6-dbgsym_15.9-0+deb12u1_amd64.deb b4fad16364534cd538e14dba01baf66f 61736 libs optional libecpg6_15.9-0+deb12u1_amd64.deb 7e8977b2a2b0acd178e79e33979f0407 88272 debug optional libpgtypes3-dbgsym_15.9-0+deb12u1_amd64.deb 48b6cfc1f0b437fd5c063f430dd51ee6 45308 libs optional libpgtypes3_15.9-0+deb12u1_amd64.deb 5b8bd75420d97de91d0c8209362014c5 144628 libdevel optional libpq-dev_15.9-0+deb12u1_amd64.deb 2b6a0172e00ae669904a470c7717a866 276940 debug optional libpq5-dbgsym_15.9-0+deb12u1_amd64.deb 220f100b159bc855c5e6511708eea095 191108 libs optional libpq5_15.9-0+deb12u1_amd64.deb 09bff158c2cf80a5c6eeaa017dfc53bd 16891660 debug optional postgresql-15-dbgsym_15.9-0+deb12u1_amd64.deb cff4f783cf44e5dccef78c2c1ca7c25a 16984 database optional postgresql-15_15.9-0+deb12u1_amd64-buildd.buildinfo f2f201504cdb491efd8715c376748e78 16824988 database optional postgresql-15_15.9-0+deb12u1_amd64.deb 5ff9e37f8a3c4ba5e8b6ee8c89941071 2419272 debug optional postgresql-client-15-dbgsym_15.9-0+deb12u1_amd64.deb e53de4f909a170ab7fda0ec8e7a2713a 1704276 database optional postgresql-client-15_15.9-0+deb12u1_amd64.deb 21e89f306d42c3b57450353a4e0a4848 186756 debug optional postgresql-plperl-15-dbgsym_15.9-0+deb12u1_amd64.deb c6a9c043110c6fbc4c06888be44f5455 90736 database optional postgresql-plperl-15_15.9-0+deb12u1_amd64.deb a2695d3860eac92d22ed2648b57e13d3 178352 debug optional postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_amd64.deb 81b611ee9233fa1d3835291e0f5ea4c1 111816 database optional postgresql-plpython3-15_15.9-0+deb12u1_amd64.deb 2ff89add49626da11263460800b5bde0 79640 debug optional postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_amd64.deb 29652e52c88d096e2c2186370c78793e 42600 database optional postgresql-pltcl-15_15.9-0+deb12u1_amd64.deb 574fe0b7e2c38aada58dd9d8e796f6e2 1146520 libdevel optional postgresql-server-dev-15_15.9-0+deb12u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEe8x49oT2k+seQstpgDm7h4zfCpIFAmczet8ACgkQgDm7h4zf CpIQCw/+MfbwsQv+u8VtvuT+7X81/2bu1aCpB21jRzSRNtHtbstxWv/zXLcw/0i1 i291wFOXjqtBHX2Gssvb8AW0b7pIKj6fO/HEhZbWPGDCQa2R2AKUeJIsFT+AO5Zi KUZnrJeQHyBnIfLumgCrqCY4Em/LcstHjHSNpD5J/k+S/dzEwLewySGk/pROz6hO 91TLmlKzf5hJBQ75tj1uLMxXyLqui+UW7eKb5rXK+Zl0m+qQvPIdfawS+0T3kkml 6chkBgtUuM8c7X3DqRUI4uf/j0TlSMv1N+XU1s2lSUhLBLdD4rst9Zm+9Pi+aw43 QGy1j+gZI6WuCEGe0N9wrrQTWZrK6hONLnKwX/UADBK9NUSRw24aR2nhYBXiM3/E szMhyvyYxnvcwCM8lxMe4jxh9MVJbs4vohK8IkM5JjpakNpB+jM+wKv895XLXRNx IuLyK4GbYbaTdwuDmrxd9P3pjyZdZKN1NWvTNWDowASjdhJx3+wqc0rM4mZpHAih v1BT8YTvbky18/va5OVmN+/iL6DF2WU5jwOE9MxXdTsCHatKS4wN4cPeRrPzUC1b gV+kE8D6RX8ZscsLqoawc3X5hKuxNybCOO/2VLcG72ur+EBtpjrdAwmve1K4uF+a uD8Htjh6x4Hb1CybPfqgoGHV8lTnna2D/1XqsQ3cKF7yA8EKSIo= =M7hL -----END PGP SIGNATURE-----