-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 01 Oct 2023 21:50:06 +0200 Source: postgresql-15 Architecture: source Version: 15.4-0+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Debian PostgreSQL Maintainers Changed-By: Christoph Berg Changes: postgresql-15 (15.4-0+deb12u1) bookworm; urgency=medium . * New upstream version. . + Disallow substituting a schema or owner name into an extension script if the name contains a quote, backslash, or dollar sign (Noah Misch) This restriction guards against SQL-injection hazards for trusted extensions. The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. (CVE-2023-39417) . + Fix MERGE to enforce row security policies properly (Dean Rasheed) When MERGE performs an UPDATE action, it should enforce any UPDATE or SELECT RLS policies defined on the target table, to be consistent with the way that a plain UPDATE with a WHERE clause works. Instead it was enforcing INSERT RLS policies for both INSERT and UPDATE actions. In addition, when MERGE performs a DO NOTHING action, it applied the target table's DELETE RLS policies to existing rows, even though those rows are not being deleted. While it's not a security problem, this could result in unwanted errors. The PostgreSQL Project thanks Dean Rasheed for reporting this problem. (CVE-2023-39418) Checksums-Sha1: 283d957c3c2c32d2ff80f8643c0c876d031d28a4 3919 postgresql-15_15.4-0+deb12u1.dsc 9024e68120af0f033d3331c7f298af5a7b2e2bce 22850355 postgresql-15_15.4.orig.tar.bz2 8eeab041a0468b65e363d56e1871a52f82387a42 24052 postgresql-15_15.4-0+deb12u1.debian.tar.xz Checksums-Sha256: a3c9f2258edbc09878698090467593df81f040aaf90bc623a0475b80a2bf3396 3919 postgresql-15_15.4-0+deb12u1.dsc baec5a4bdc4437336653b6cb5d9ed89be5bd5c0c58b94e0becee0a999e63c8f9 22850355 postgresql-15_15.4.orig.tar.bz2 a3e9a415cdb637e607d50a18603b2611fe80d6a5b3bff12860900a007c60654e 24052 postgresql-15_15.4-0+deb12u1.debian.tar.xz Files: 969ac369421d54a355b6d93f2c198fb5 3919 database optional postgresql-15_15.4-0+deb12u1.dsc f2f861fb99d742cb9c2f8aa46a8a947d 22850355 database optional postgresql-15_15.4.orig.tar.bz2 c4fe85144ffd53381d5561c684a85e70 24052 database optional postgresql-15_15.4-0+deb12u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmUZz1MACgkQTFprqxLS p65aMQ/8CKoxgDbtFAT8S2ACve0gOtTQM4pyNjk4Mp4wQyWDgxGXayIps/M8DsTG Ee6we1B+ZuD/8LrqmbY4/rbyVO0fUjpjLDxzfHmIVLq/5i/Cqc2iGQ55Pad+TPJ+ rK9Wj/syaIDq9b9D7pHNLaQVSuFLqGTCJqBmtfCMG0lMngFtYYRQh9m0TDqPG5ne SbjCBjBjsBtawkxUP+hJNtV/t3zfA2qDkSOy12YFmPoj9kQVcXh3RsLvXCwhuY/s IstC8ruZbCBpIM3RF7UbolMURv2TIGm/9ggPwWCxFUReiCIXdKr+vXNomgHNfgt1 maPWyZp6H3v1M3f838PEpkpKcaEEOfNdIT31bnIhkWNoSzzseyc82d8sfl8qXO5B 9QMenLUAXScRM8wEQJuWDPIzrjwRKjcpvrqHtqzLXLCNK6JYoYOjaC/2w3PpEkd3 7T4DNS0bwIsUU01CLlSt/8NofEbHC06ow6rVzKtnFjqStfoBoP+ShmRN3KQDVbOt JYrAhjkvJudCAEqBVfTgfKyifHpxR9ohPodky9eMox/+2M8s0oYswXcoE0Jkdr7K THbMkF+d/MbNHBCTw5z+vBqw6EtnyJrOzuaEYzU5K2jJRe9crgtSRLt8PvVFTx62 E+6eFp29S5B0own25bAnwrjL2KYfRHxpXGQoB5eNcg3pej39F28= =izG4 -----END PGP SIGNATURE-----