Univention Bugzilla – Bug 55093
postgresql-11: Multiple issues (5.0)
Last modified: 2022-08-17 17:32:05 CEST
New Debian postgresql-11 11.17-0+deb10u1 fixes: This update addresses the following issue: * postgresql-11 (CVE-2022-2625)
--- mirror/ftp/pool/main/p/postgresql-11/postgresql-11_11.16-0+deb10u1.dsc +++ apt/ucs_5.0-0-errata5.0-2/source/postgresql-11_11.17-0+deb10u1.dsc @@ -1,3 +1,20 @@ +11.17-0+deb10u1 [Thu, 11 Aug 2022 14:03:50 +0200] Christoph Berg <myon@debian.org>: + + * New upstream version. + + + Do not let extension scripts replace objects not already belonging to + the extension (Tom Lane) (CVE-2022-2625) + + This change prevents extension scripts from doing CREATE OR REPLACE if + there is an existing object that does not belong to the extension. It + also prevents CREATE IF NOT EXISTS in the same situation. This prevents + a form of trojan-horse attack in which a hostile database user could + become the owner of an extension object and then modify it to compromise + future uses of the object by other users. As a side benefit, it also + reduces the risk of accidentally replacing objects one did not mean to. + + The PostgreSQL Project thanks Sven Klemm for reporting this problem. + 11.16-0+deb10u1 [Wed, 11 May 2022 15:15:30 +0200] Christoph Berg <myon@debian.org>: * New upstream release. <http://piuparts.knut.univention.de/5.0-2/#4858746697307079304>
OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-2] 85a6b1a5f7 Bug #55093: postgresql-11 11.17-0+deb10u1 doc/errata/staging/postgresql-11.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x385>