From 481e8e504e7c5e35c6d32a0e0bf5221574439dacda611d510547632e9d04328d Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Thu, 9 May 2024 14:13:19 +0000 Subject: [PATCH] CVE-2024-4317 OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql12?expand=0&rev=100 --- postgresql-12.18.tar.bz2 | 3 --- postgresql-12.18.tar.bz2.sha256 | 1 - postgresql-12.19.tar.bz2 | 3 +++ postgresql-12.19.tar.bz2.sha256 | 1 + postgresql12.changes | 25 +++++++++++++++++++++++++ postgresql12.spec | 2 +- 6 files changed, 30 insertions(+), 5 deletions(-) delete mode 100644 postgresql-12.18.tar.bz2 delete mode 100644 postgresql-12.18.tar.bz2.sha256 create mode 100644 postgresql-12.19.tar.bz2 create mode 100644 postgresql-12.19.tar.bz2.sha256 diff --git a/postgresql-12.18.tar.bz2 b/postgresql-12.18.tar.bz2 deleted file mode 100644 index 4823ce1..0000000 --- a/postgresql-12.18.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4f9919725d941ce9868e07fe1ed1d3a86748599b483386547583928b74c3918a -size 21208935 diff --git a/postgresql-12.18.tar.bz2.sha256 b/postgresql-12.18.tar.bz2.sha256 deleted file mode 100644 index 4e9c3e4..0000000 --- a/postgresql-12.18.tar.bz2.sha256 +++ /dev/null @@ -1 +0,0 @@ -4f9919725d941ce9868e07fe1ed1d3a86748599b483386547583928b74c3918a postgresql-12.18.tar.bz2 diff --git a/postgresql-12.19.tar.bz2 b/postgresql-12.19.tar.bz2 new file mode 100644 index 0000000..5386117 --- /dev/null +++ b/postgresql-12.19.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:617e3de52c22e822f4f57d01d5b2240503e198a9eccaf598a851109bd18e6fbb +size 21218699 diff --git a/postgresql-12.19.tar.bz2.sha256 b/postgresql-12.19.tar.bz2.sha256 new file mode 100644 index 0000000..7828625 --- /dev/null +++ b/postgresql-12.19.tar.bz2.sha256 @@ -0,0 +1 @@ +617e3de52c22e822f4f57d01d5b2240503e198a9eccaf598a851109bd18e6fbb postgresql-12.19.tar.bz2 diff --git a/postgresql12.changes b/postgresql12.changes index e99292a..87c830a 100644 --- a/postgresql12.changes +++ b/postgresql12.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Thu May 9 14:09:31 UTC 2024 - Marcus Rueckert + +- Upgrade to 12.19: + CVE-2024-4317: Restrict visibility of pg_stats_ext and + pg_stats_ext_exprs entries to the table owner + + Missing authorization in PostgreSQL built-in views pg_stats_ext + and pg_stats_ext_exprs allows an unprivileged database user to + read most common values and other statistics from CREATE + STATISTICS commands of other users. The most common values may + reveal column values the eavesdropper could not otherwise read or + results of functions they cannot execute. + + This fix only fixes fresh PostgreSQL installations, namely those + that are created with the initdb utility after this fix is + applied. If you have a current PostgreSQL installation and are + concerned about this issue, please follow the instructions in the + "Updating" section on this link: + https://www.postgresql.org/about/news/postgresql-163-157-1412-1315-and-1219-released-2858/ + + The SQL file is in /usr/share/postgresql12/fix-CVE-2024-4317.sql + + https://www.postgresql.org/docs/release/12.19/ + ------------------------------------------------------------------- Wed May 1 15:24:39 UTC 2024 - Aaron Puchert diff --git a/postgresql12.spec b/postgresql12.spec index e4fa01b..fb478fd 100644 --- a/postgresql12.spec +++ b/postgresql12.spec @@ -16,7 +16,7 @@ # -%define pgversion 12.18 +%define pgversion 12.19 %define pgmajor 12 %define buildlibs 0 %define tarversion %{pgversion}