CVE-2024-4317

OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql14?expand=0&rev=68
2024-05-09 14:13:31 +00:00 · 2024-05-09 14:13:31 +00:00 · 393de042f2
commit 393de042f2
parent 2801a6304c
6 changed files with 30 additions and 5 deletions
--- a/postgresql-14.11.tar.bz2
+++ b/postgresql-14.11.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a670bd7dce22dcad4297b261136b3b1d4a09a6f541719562aa14ca63bf2968a8
-size 22354758
--- a/postgresql-14.11.tar.bz2.sha256
+++ b/postgresql-14.11.tar.bz2.sha256
@ -1 +0,0 @@
-a670bd7dce22dcad4297b261136b3b1d4a09a6f541719562aa14ca63bf2968a8  postgresql-14.11.tar.bz2
--- a/postgresql-14.12.tar.bz2
+++ b/postgresql-14.12.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6118d08f9ddcc1bd83cf2b7cc74d3b583bdcec2f37e6245a8ac003b8faa80923
+size 22390865
--- a/postgresql-14.12.tar.bz2.sha256
+++ b/postgresql-14.12.tar.bz2.sha256
@ -0,0 +1 @@
+6118d08f9ddcc1bd83cf2b7cc74d3b583bdcec2f37e6245a8ac003b8faa80923  postgresql-14.12.tar.bz2
--- a/postgresql14.changes
+++ b/postgresql14.changes
@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Thu May  9 14:07:26 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
+
+- Upgrade to 14.12:
+  CVE-2024-4317: Restrict visibility of pg_stats_ext and
+  pg_stats_ext_exprs entries to the table owner
+
+  Missing authorization in PostgreSQL built-in views pg_stats_ext
+  and pg_stats_ext_exprs allows an unprivileged database user to
+  read most common values and other statistics from CREATE
+  STATISTICS commands of other users. The most common values may
+  reveal column values the eavesdropper could not otherwise read or
+  results of functions they cannot execute.
+
+  This fix only fixes fresh PostgreSQL installations, namely those
+  that are created with the initdb utility after this fix is
+  applied. If you have a current PostgreSQL installation and are
+  concerned about this issue, please follow the instructions in the
+  "Updating" section on this link:
+  https://www.postgresql.org/about/news/postgresql-163-157-1412-1315-and-1219-released-2858/
+
+  The SQL file is in /usr/share/postgresql14/fix-CVE-2024-4317.sql
+
+  https://www.postgresql.org/docs/release/14.12/
+
 -------------------------------------------------------------------
 Wed May  1 15:24:39 UTC 2024 - Aaron Puchert <aaronpuchert@alice-dsl.net>

--- a/postgresql14.spec
+++ b/postgresql14.spec
@ -16,7 +16,7 @@
 #


-%define pgversion 14.11
+%define pgversion 14.12
 %define pgmajor 14
 %define buildlibs 0
 %define tarversion %{pgversion}
				`@ -1 +0,0 @@`
				`a670bd7dce22dcad4297b261136b3b1d4a09a6f541719562aa14ca63bf2968a8 postgresql-14.11.tar.bz2`
				`@ -0,0 +1 @@`
				`6118d08f9ddcc1bd83cf2b7cc74d3b583bdcec2f37e6245a8ac003b8faa80923 postgresql-14.12.tar.bz2`