From 393de042f208535aeeebe39222bb72686fbca518dba344cdf0a47cf40264885f Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Thu, 9 May 2024 14:13:31 +0000 Subject: [PATCH] CVE-2024-4317 OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql14?expand=0&rev=68 --- postgresql-14.11.tar.bz2 | 3 --- postgresql-14.11.tar.bz2.sha256 | 1 - postgresql-14.12.tar.bz2 | 3 +++ postgresql-14.12.tar.bz2.sha256 | 1 + postgresql14.changes | 25 +++++++++++++++++++++++++ postgresql14.spec | 2 +- 6 files changed, 30 insertions(+), 5 deletions(-) delete mode 100644 postgresql-14.11.tar.bz2 delete mode 100644 postgresql-14.11.tar.bz2.sha256 create mode 100644 postgresql-14.12.tar.bz2 create mode 100644 postgresql-14.12.tar.bz2.sha256 diff --git a/postgresql-14.11.tar.bz2 b/postgresql-14.11.tar.bz2 deleted file mode 100644 index 560bf25..0000000 --- a/postgresql-14.11.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a670bd7dce22dcad4297b261136b3b1d4a09a6f541719562aa14ca63bf2968a8 -size 22354758 diff --git a/postgresql-14.11.tar.bz2.sha256 b/postgresql-14.11.tar.bz2.sha256 deleted file mode 100644 index c2d2d37..0000000 --- a/postgresql-14.11.tar.bz2.sha256 +++ /dev/null @@ -1 +0,0 @@ -a670bd7dce22dcad4297b261136b3b1d4a09a6f541719562aa14ca63bf2968a8 postgresql-14.11.tar.bz2 diff --git a/postgresql-14.12.tar.bz2 b/postgresql-14.12.tar.bz2 new file mode 100644 index 0000000..6fb8c51 --- /dev/null +++ b/postgresql-14.12.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6118d08f9ddcc1bd83cf2b7cc74d3b583bdcec2f37e6245a8ac003b8faa80923 +size 22390865 diff --git a/postgresql-14.12.tar.bz2.sha256 b/postgresql-14.12.tar.bz2.sha256 new file mode 100644 index 0000000..3c79193 --- /dev/null +++ b/postgresql-14.12.tar.bz2.sha256 @@ -0,0 +1 @@ +6118d08f9ddcc1bd83cf2b7cc74d3b583bdcec2f37e6245a8ac003b8faa80923 postgresql-14.12.tar.bz2 diff --git a/postgresql14.changes b/postgresql14.changes index 9f333b6..619f569 100644 --- a/postgresql14.changes +++ b/postgresql14.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Thu May 9 14:07:26 UTC 2024 - Marcus Rueckert + +- Upgrade to 14.12: + CVE-2024-4317: Restrict visibility of pg_stats_ext and + pg_stats_ext_exprs entries to the table owner + + Missing authorization in PostgreSQL built-in views pg_stats_ext + and pg_stats_ext_exprs allows an unprivileged database user to + read most common values and other statistics from CREATE + STATISTICS commands of other users. The most common values may + reveal column values the eavesdropper could not otherwise read or + results of functions they cannot execute. + + This fix only fixes fresh PostgreSQL installations, namely those + that are created with the initdb utility after this fix is + applied. If you have a current PostgreSQL installation and are + concerned about this issue, please follow the instructions in the + "Updating" section on this link: + https://www.postgresql.org/about/news/postgresql-163-157-1412-1315-and-1219-released-2858/ + + The SQL file is in /usr/share/postgresql14/fix-CVE-2024-4317.sql + + https://www.postgresql.org/docs/release/14.12/ + ------------------------------------------------------------------- Wed May 1 15:24:39 UTC 2024 - Aaron Puchert diff --git a/postgresql14.spec b/postgresql14.spec index 8fe5382..36dcc35 100644 --- a/postgresql14.spec +++ b/postgresql14.spec @@ -16,7 +16,7 @@ # -%define pgversion 14.11 +%define pgversion 14.12 %define pgmajor 14 %define buildlibs 0 %define tarversion %{pgversion}