From cbed561cfd03818d3802db6f64445d0c51e9fec06f03ea64188d3d8fbf3a1840 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Thu, 9 May 2024 14:13:46 +0000 Subject: [PATCH] CVE-2024-4317 OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql16?expand=0&rev=25 --- postgresql-16.2.tar.bz2 | 3 --- postgresql-16.2.tar.bz2.sha256 | 1 - postgresql-16.3.tar.bz2 | 3 +++ postgresql-16.3.tar.bz2.sha256 | 1 + postgresql16.changes | 25 +++++++++++++++++++++++++ postgresql16.spec | 2 +- 6 files changed, 30 insertions(+), 5 deletions(-) delete mode 100644 postgresql-16.2.tar.bz2 delete mode 100644 postgresql-16.2.tar.bz2.sha256 create mode 100644 postgresql-16.3.tar.bz2 create mode 100644 postgresql-16.3.tar.bz2.sha256 diff --git a/postgresql-16.2.tar.bz2 b/postgresql-16.2.tar.bz2 deleted file mode 100644 index 73e12b5..0000000 --- a/postgresql-16.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:446e88294dbc2c9085ab4b7061a646fa604b4bec03521d5ea671c2e5ad9b2952 -size 24711703 diff --git a/postgresql-16.2.tar.bz2.sha256 b/postgresql-16.2.tar.bz2.sha256 deleted file mode 100644 index b05db77..0000000 --- a/postgresql-16.2.tar.bz2.sha256 +++ /dev/null @@ -1 +0,0 @@ -446e88294dbc2c9085ab4b7061a646fa604b4bec03521d5ea671c2e5ad9b2952 postgresql-16.2.tar.bz2 diff --git a/postgresql-16.3.tar.bz2 b/postgresql-16.3.tar.bz2 new file mode 100644 index 0000000..6aef66a --- /dev/null +++ b/postgresql-16.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:331963d5d3dc4caf4216a049fa40b66d6bcb8c730615859411b9518764e60585 +size 24737644 diff --git a/postgresql-16.3.tar.bz2.sha256 b/postgresql-16.3.tar.bz2.sha256 new file mode 100644 index 0000000..318f3a6 --- /dev/null +++ b/postgresql-16.3.tar.bz2.sha256 @@ -0,0 +1 @@ +331963d5d3dc4caf4216a049fa40b66d6bcb8c730615859411b9518764e60585 postgresql-16.3.tar.bz2 diff --git a/postgresql16.changes b/postgresql16.changes index 93dbbbd..a20a4a5 100644 --- a/postgresql16.changes +++ b/postgresql16.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Thu May 9 14:02:21 UTC 2024 - Marcus Rueckert + +- Upgrade to 16.3: + CVE-2024-4317: Restrict visibility of pg_stats_ext and + pg_stats_ext_exprs entries to the table owner + + Missing authorization in PostgreSQL built-in views pg_stats_ext + and pg_stats_ext_exprs allows an unprivileged database user to + read most common values and other statistics from CREATE + STATISTICS commands of other users. The most common values may + reveal column values the eavesdropper could not otherwise read or + results of functions they cannot execute. + + This fix only fixes fresh PostgreSQL installations, namely those + that are created with the initdb utility after this fix is + applied. If you have a current PostgreSQL installation and are + concerned about this issue, please follow the instructions in the + "Updating" section on this link: + https://www.postgresql.org/about/news/postgresql-163-157-1412-1315-and-1219-released-2858/ + + The SQL file is in /usr/share/postgresql16/fix-CVE-2024-4317.sql + + https://www.postgresql.org/docs/release/16.3/ + ------------------------------------------------------------------- Tue Mar 12 22:48:41 UTC 2024 - Aaron Puchert diff --git a/postgresql16.spec b/postgresql16.spec index 44125c5..0c80994 100644 --- a/postgresql16.spec +++ b/postgresql16.spec @@ -16,7 +16,7 @@ # -%define pgversion 16.2 +%define pgversion 16.3 %define pgmajor 16 %define buildlibs 1 %define tarversion %{pgversion}