-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 07 Aug 2024 15:24:37 +0200 Source: postgresql-15 Architecture: source Version: 15.8-0+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers Changed-By: Christoph Berg Changes: postgresql-15 (15.8-0+deb12u1) bookworm-security; urgency=medium . * New upstream version. . + Prevent unauthorized code execution during pg_dump (Masahiko Sawada) . An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix. . The PostgreSQL Project thanks Noah Misch for reporting this problem. (CVE-2024-7348) . * Refresh debian/patches/focal-arm64-outline-atomics. Checksums-Sha1: 37fcb91398dd283de89e34fd5a5f23e889e7ca26 3919 postgresql-15_15.8-0+deb12u1.dsc 4decf90a7557c41fc61312e8696f59e0f7123d2a 23119460 postgresql-15_15.8.orig.tar.bz2 1a507b731b529206899be375aef4efce6538a387 26132 postgresql-15_15.8-0+deb12u1.debian.tar.xz Checksums-Sha256: 79ec6c54824ad3653a75400593e9741fd69d2a6fa9bf73fa95785562ee25c3b0 3919 postgresql-15_15.8-0+deb12u1.dsc 4403515f9a69eeb3efebc98f30b8c696122bfdf895e92b3b23f5b8e769edcb6a 23119460 postgresql-15_15.8.orig.tar.bz2 7587beb629016891e3493f1458bbcc2d774012b82fb5cc40e55b53c248a9bb79 26132 postgresql-15_15.8-0+deb12u1.debian.tar.xz Files: db8f62cb8d1d0cfbce3699ca932b24b2 3919 database optional postgresql-15_15.8-0+deb12u1.dsc 66fad6344ae2b748f6ef4db19589bf07 23119460 database optional postgresql-15_15.8.orig.tar.bz2 15244f20fc7bc5ad0fde2050a87a22a9 26132 database optional postgresql-15_15.8-0+deb12u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAma0zmQACgkQTFprqxLS p6704g//Vd/0G+CeMCkB2p7oeGDlRoZBUre+GvsBqZWjABPv/AWnSaYSQMaT6EDu hjlloxAJJOODq8gZvOgQMBlhi3CB6RjJ7aXKB2LV0VOMGCWwRsfn3cRNemK3DOI1 m+6a1nobmXw32jBl2AA7cPp6xQXm0o5XBVTf2Lk7M6/IjOUb8KkUdbg7f9P9DWu8 s/COAJX6a9vCQh7TuO2odwYHisfNCqCN7QgHv1phy3fcIoLpzk5HSPlwShyza3Lk r3PNLa8cPVCkjtlC9BIdIqsOzHR72lNBR3P+q7T9a1F70PFkD7L8RsbDKzVq3Sqj lgq7Zu7NRtTD5yM1XeEkg8H+cxz1qRZl3TpZ0ycUVK4mK0Di6g+hXlPM0BMbWBba bvAW2kELrD/8Qp3y6SMIev3RjnmvnfM6bmBMD7kFBJT+YFdZfwYHWDzTvJGXn7jh coqDx7OeINMNfkkV3fVZ/hj9FjKNKUfJneOWC0MfLp/67xVyg0NspedhDf1HXGWk AwyOHtj4AI1m+WiY0KAWCX4lVFEM38wxYci27fqJppEfZZt7YT+QT8qq9PK4Rlp2 6zQuu+Jh21aeS0LV/tkCVCEd/p7OIlgB0QKuusPJxcVe8VbUpn23ateT3vHnUjqr GZHJt8tdECDrtFED5s3HXXjbYoV0mludYlkHP3/VybCehheVhiQ= =1Gg/ -----END PGP SIGNATURE-----