Publishing details
Changelog
postgresql-15 (15.7-0ubuntu0.23.10.1) mantic-security; urgency=medium
* New upstream version (LP: #2067388).
+ A dump/restore is not required for those running 15.X.
+ However, a security vulnerability was found in the system views
pg_stats_ext and pg_stats_ext_exprs, potentially allowing
authenticated database users to see data they shouldn't. If this is of
concern in your installation, follow the steps below to rectify it.
+ Also, if you are upgrading from a version earlier than 15.6, see
those release notes as well please.
+ Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries
to the table owner (Nathan Bossart)
These views failed to hide statistics for expressions that involve
columns the accessing user does not have permission to read. View
columns such as most_common_vals might expose security-relevant
data. The potential interactions here are not fully clear, so in the
interest of erring on the side of safety, make rows in these views
visible only to the owner of the associated table.
The PostgreSQL Project thanks Lukas Fittl for reporting this
problem.
By itself, this fix will only fix the behavior in newly initdb'd
database clusters. If you wish to apply this change in an existing
cluster, you will need to do the following:
- In each database of the cluster, run the
/usr/share/postgresql/15/fix-CVE-2024-4317.sql script as superuser. In
psql this would look like:
\i /usr/share/postgresql/15/fix-CVE-2024-4317.sql
It will not hurt to run the script more than once.
- Do not forget to include the template0 and template1 databases,
or the vulnerability will still exist in databases you create
later. To fix template0, you'll need to temporarily make it accept
connections. Do that with:
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0, undo it with:
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
(CVE-2024-4317)
+ Details about these and many further changes can be found at:
https://www.postgresql.org/docs/15/release-15-7.html.
* d/postgresql-15.NEWS: Update.
-- Sergio Durigan Junior <email address hidden> Tue, 28 May 2024 10:27:51 -0400
Builds
Built packages
-
libecpg-compat3
older version of run-time library for ECPG programs
-
libecpg-compat3-dbgsym
debug symbols for libecpg-compat3
-
libecpg-dev
development files for ECPG (Embedded PostgreSQL for C)
-
libecpg-dev-dbgsym
debug symbols for libecpg-dev
-
libecpg6
run-time library for ECPG programs
-
libecpg6-dbgsym
debug symbols for libecpg6
-
libpgtypes3
shared library libpgtypes for PostgreSQL 15
-
libpgtypes3-dbgsym
debug symbols for libpgtypes3
-
libpq-dev
header files for libpq5 (PostgreSQL library)
-
libpq5
PostgreSQL C client library
-
libpq5-dbgsym
debug symbols for libpq5
-
postgresql-15
The World's Most Advanced Open Source Relational Database
-
postgresql-15-dbgsym
debug symbols for postgresql-15
-
postgresql-client-15
front-end programs for PostgreSQL 15
-
postgresql-client-15-dbgsym
debug symbols for postgresql-client-15
-
postgresql-doc-15
documentation for the PostgreSQL database management system
-
postgresql-plperl-15
PL/Perl procedural language for PostgreSQL 15
-
postgresql-plperl-15-dbgsym
debug symbols for postgresql-plperl-15
-
postgresql-plpython3-15
PL/Python 3 procedural language for PostgreSQL 15
-
postgresql-plpython3-15-dbgsym
debug symbols for postgresql-plpython3-15
-
postgresql-pltcl-15
PL/Tcl procedural language for PostgreSQL 15
-
postgresql-pltcl-15-dbgsym
debug symbols for postgresql-pltcl-15
-
postgresql-server-dev-15
development files for PostgreSQL 15 server-side programming
Package files