From cbed561cfd03818d3802db6f64445d0c51e9fec06f03ea64188d3d8fbf3a1840 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Thu, 9 May 2024 14:13:46 +0000 Subject: [PATCH 1/2] CVE-2024-4317 OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql16?expand=0&rev=25 --- postgresql-16.2.tar.bz2 | 3 --- postgresql-16.2.tar.bz2.sha256 | 1 - postgresql-16.3.tar.bz2 | 3 +++ postgresql-16.3.tar.bz2.sha256 | 1 + postgresql16.changes | 25 +++++++++++++++++++++++++ postgresql16.spec | 2 +- 6 files changed, 30 insertions(+), 5 deletions(-) delete mode 100644 postgresql-16.2.tar.bz2 delete mode 100644 postgresql-16.2.tar.bz2.sha256 create mode 100644 postgresql-16.3.tar.bz2 create mode 100644 postgresql-16.3.tar.bz2.sha256 diff --git a/postgresql-16.2.tar.bz2 b/postgresql-16.2.tar.bz2 deleted file mode 100644 index 73e12b5..0000000 --- a/postgresql-16.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:446e88294dbc2c9085ab4b7061a646fa604b4bec03521d5ea671c2e5ad9b2952 -size 24711703 diff --git a/postgresql-16.2.tar.bz2.sha256 b/postgresql-16.2.tar.bz2.sha256 deleted file mode 100644 index b05db77..0000000 --- a/postgresql-16.2.tar.bz2.sha256 +++ /dev/null @@ -1 +0,0 @@ -446e88294dbc2c9085ab4b7061a646fa604b4bec03521d5ea671c2e5ad9b2952 postgresql-16.2.tar.bz2 diff --git a/postgresql-16.3.tar.bz2 b/postgresql-16.3.tar.bz2 new file mode 100644 index 0000000..6aef66a --- /dev/null +++ b/postgresql-16.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:331963d5d3dc4caf4216a049fa40b66d6bcb8c730615859411b9518764e60585 +size 24737644 diff --git a/postgresql-16.3.tar.bz2.sha256 b/postgresql-16.3.tar.bz2.sha256 new file mode 100644 index 0000000..318f3a6 --- /dev/null +++ b/postgresql-16.3.tar.bz2.sha256 @@ -0,0 +1 @@ +331963d5d3dc4caf4216a049fa40b66d6bcb8c730615859411b9518764e60585 postgresql-16.3.tar.bz2 diff --git a/postgresql16.changes b/postgresql16.changes index 93dbbbd..a20a4a5 100644 --- a/postgresql16.changes +++ b/postgresql16.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Thu May 9 14:02:21 UTC 2024 - Marcus Rueckert + +- Upgrade to 16.3: + CVE-2024-4317: Restrict visibility of pg_stats_ext and + pg_stats_ext_exprs entries to the table owner + + Missing authorization in PostgreSQL built-in views pg_stats_ext + and pg_stats_ext_exprs allows an unprivileged database user to + read most common values and other statistics from CREATE + STATISTICS commands of other users. The most common values may + reveal column values the eavesdropper could not otherwise read or + results of functions they cannot execute. + + This fix only fixes fresh PostgreSQL installations, namely those + that are created with the initdb utility after this fix is + applied. If you have a current PostgreSQL installation and are + concerned about this issue, please follow the instructions in the + "Updating" section on this link: + https://www.postgresql.org/about/news/postgresql-163-157-1412-1315-and-1219-released-2858/ + + The SQL file is in /usr/share/postgresql16/fix-CVE-2024-4317.sql + + https://www.postgresql.org/docs/release/16.3/ + ------------------------------------------------------------------- Tue Mar 12 22:48:41 UTC 2024 - Aaron Puchert diff --git a/postgresql16.spec b/postgresql16.spec index 44125c5..0c80994 100644 --- a/postgresql16.spec +++ b/postgresql16.spec @@ -16,7 +16,7 @@ # -%define pgversion 16.2 +%define pgversion 16.3 %define pgmajor 16 %define buildlibs 1 %define tarversion %{pgversion} From f6f2fd362a3ba43d2c539b17399e27c923bd35f1bb82b8e3ba5418dc7bb9971d Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Thu, 9 May 2024 15:28:22 +0000 Subject: [PATCH 2/2] - Upgrade to 16.3 (bsc#1224051): * bsc#1224038, CVE-2024-4317: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner. See the release notes for the steps that have to be taken to fix existing PostgreSQL instances. * Fix incompatibility with LLVM 18. * https://www.postgresql.org/docs/release/16.3/ - Prepare for PostgreSQL 17. - Make sure all compilation and doc generation happens in %build. OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql16?expand=0&rev=26 --- postgresql16.changes | 32 ++++++++++---------------------- postgresql16.spec | 24 +++++++++++++++++++----- 2 files changed, 29 insertions(+), 27 deletions(-) diff --git a/postgresql16.changes b/postgresql16.changes index a20a4a5..52ced90 100644 --- a/postgresql16.changes +++ b/postgresql16.changes @@ -1,27 +1,15 @@ ------------------------------------------------------------------- -Thu May 9 14:02:21 UTC 2024 - Marcus Rueckert +Wed May 8 08:28:48 UTC 2024 - Reinhard Max -- Upgrade to 16.3: - CVE-2024-4317: Restrict visibility of pg_stats_ext and - pg_stats_ext_exprs entries to the table owner - - Missing authorization in PostgreSQL built-in views pg_stats_ext - and pg_stats_ext_exprs allows an unprivileged database user to - read most common values and other statistics from CREATE - STATISTICS commands of other users. The most common values may - reveal column values the eavesdropper could not otherwise read or - results of functions they cannot execute. - - This fix only fixes fresh PostgreSQL installations, namely those - that are created with the initdb utility after this fix is - applied. If you have a current PostgreSQL installation and are - concerned about this issue, please follow the instructions in the - "Updating" section on this link: - https://www.postgresql.org/about/news/postgresql-163-157-1412-1315-and-1219-released-2858/ - - The SQL file is in /usr/share/postgresql16/fix-CVE-2024-4317.sql - - https://www.postgresql.org/docs/release/16.3/ +- Upgrade to 16.3 (bsc#1224051): + * bsc#1224038, CVE-2024-4317: Restrict visibility of pg_stats_ext + and pg_stats_ext_exprs entries to the table owner. See the + release notes for the steps that have to be taken to fix + existing PostgreSQL instances. + * Fix incompatibility with LLVM 18. + * https://www.postgresql.org/docs/release/16.3/ +- Prepare for PostgreSQL 17. +- Make sure all compilation and doc generation happens in %build. ------------------------------------------------------------------- Tue Mar 12 22:48:41 UTC 2024 - Aaron Puchert diff --git a/postgresql16.spec b/postgresql16.spec index 0c80994..e3a5de1 100644 --- a/postgresql16.spec +++ b/postgresql16.spec @@ -20,7 +20,7 @@ %define pgmajor 16 %define buildlibs 1 %define tarversion %{pgversion} -%define latest_supported_llvm_ver 17 +%define latest_supported_llvm_ver 18 ### CUT HERE ### %define pgname postgresql%pgmajor @@ -59,6 +59,12 @@ Name: %pgname %define python python %endif +%if %pgmajor >= 17 +%bcond_with dreived +%else +%bcond_without derived +%endif + %if 0%{?suse_version} >= 1500 %bcond_without liblz4 %endif @@ -88,6 +94,12 @@ BuildRequires: zlib-devel %if %{with liblz4} BuildRequires: pkgconfig(liblz4) %endif +%if %{without derived} +BuildRequires: bison +BuildRequires: docbook-xsl-stylesheets +BuildRequires: flex +BuildRequires: perl +%endif %if %{with libzstd} BuildRequires: pkgconfig(libzstd) @@ -573,7 +585,7 @@ PACKAGE_TARNAME=%pgname %configure \ %if %mini make -C src/interfaces %{?_smp_mflags} PACKAGE_TARNAME=%pgname %else -make %{?_smp_mflags} PACKAGE_TARNAME=%pgname +make %{?_smp_mflags} PACKAGE_TARNAME=%pgname world %if %{with check} @@ -641,9 +653,9 @@ find %buildroot -type f -cnewer flag -printf "/%%P\n" | > contrib.files rm flag install -d -m 750 %buildroot/var/lib/pgsql -install -d -m755 %buildroot%pgdocdir +install -d -m 755 %buildroot%pgdocdir cp doc/KNOWN_BUGS doc/MISSING_FEATURES COPYRIGHT \ - README HISTORY %buildroot%pgdocdir + README* HISTORY %buildroot%pgdocdir # Use versioned names for the man pages: for f in %buildroot%pgmandir/man*/*; do mv $f ${f}pg%pgmajor @@ -701,6 +713,7 @@ genlists main \ pg_receivewal \ pg_verify_checksums \ pg_checksums \ + pg_combinebackup \ pg_verifybackup %find_lang plpgsql-$VLANG main.files @@ -711,6 +724,8 @@ genlists server \ pg_ctl \ pg_controldata \ pg_resetwal \ + pg_createsubscriber \ + pg_walsummary \ pg_waldump \ pg_resetxlog \ %if %pgmajor >= 15 @@ -924,7 +939,6 @@ fi %files llvmjit-devel %defattr(-,root,root) -%doc README %files pltcl -f pltcl.lang %defattr(-,root,root)