From 227dfddf97095ba66b5afbed29260245eea53088fcdefc230d0dde101d270642 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Thu, 9 May 2024 14:13:39 +0000 Subject: [PATCH] CVE-2024-4317 OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql15?expand=0&rev=49 --- postgresql-15.6.tar.bz2 | 3 --- postgresql-15.6.tar.bz2.sha256 | 1 - postgresql-15.7.tar.bz2 | 3 +++ postgresql-15.7.tar.bz2.sha256 | 1 + postgresql15.changes | 25 +++++++++++++++++++++++++ postgresql15.spec | 2 +- 6 files changed, 30 insertions(+), 5 deletions(-) delete mode 100644 postgresql-15.6.tar.bz2 delete mode 100644 postgresql-15.6.tar.bz2.sha256 create mode 100644 postgresql-15.7.tar.bz2 create mode 100644 postgresql-15.7.tar.bz2.sha256 diff --git a/postgresql-15.6.tar.bz2 b/postgresql-15.6.tar.bz2 deleted file mode 100644 index 0009aa6..0000000 --- a/postgresql-15.6.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8455146ed9c69c93a57de954aead0302cafad035c2b242175d6aa1e17ebcb2fb -size 23093967 diff --git a/postgresql-15.6.tar.bz2.sha256 b/postgresql-15.6.tar.bz2.sha256 deleted file mode 100644 index f37c20c..0000000 --- a/postgresql-15.6.tar.bz2.sha256 +++ /dev/null @@ -1 +0,0 @@ -8455146ed9c69c93a57de954aead0302cafad035c2b242175d6aa1e17ebcb2fb postgresql-15.6.tar.bz2 diff --git a/postgresql-15.7.tar.bz2 b/postgresql-15.7.tar.bz2 new file mode 100644 index 0000000..35e3c1c --- /dev/null +++ b/postgresql-15.7.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a46fe49485ab6385e39dabbbb654f5d3049206f76cd695e224268729520998f7 +size 23112318 diff --git a/postgresql-15.7.tar.bz2.sha256 b/postgresql-15.7.tar.bz2.sha256 new file mode 100644 index 0000000..d5db1d8 --- /dev/null +++ b/postgresql-15.7.tar.bz2.sha256 @@ -0,0 +1 @@ +a46fe49485ab6385e39dabbbb654f5d3049206f76cd695e224268729520998f7 postgresql-15.7.tar.bz2 diff --git a/postgresql15.changes b/postgresql15.changes index 258fc59..4d7bd10 100644 --- a/postgresql15.changes +++ b/postgresql15.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Thu May 9 14:06:24 UTC 2024 - Marcus Rueckert + +- Upgrade to 15.7: + CVE-2024-4317: Restrict visibility of pg_stats_ext and + pg_stats_ext_exprs entries to the table owner + + Missing authorization in PostgreSQL built-in views pg_stats_ext + and pg_stats_ext_exprs allows an unprivileged database user to + read most common values and other statistics from CREATE + STATISTICS commands of other users. The most common values may + reveal column values the eavesdropper could not otherwise read or + results of functions they cannot execute. + + This fix only fixes fresh PostgreSQL installations, namely those + that are created with the initdb utility after this fix is + applied. If you have a current PostgreSQL installation and are + concerned about this issue, please follow the instructions in the + "Updating" section on this link: + https://www.postgresql.org/about/news/postgresql-163-157-1412-1315-and-1219-released-2858/ + + The SQL file is in /usr/share/postgresql15/fix-CVE-2024-4317.sql + + https://www.postgresql.org/docs/release/15.7/ + ------------------------------------------------------------------- Wed May 1 15:24:39 UTC 2024 - Aaron Puchert diff --git a/postgresql15.spec b/postgresql15.spec index 4e20674..ca9c186 100644 --- a/postgresql15.spec +++ b/postgresql15.spec @@ -16,7 +16,7 @@ # -%define pgversion 15.6 +%define pgversion 15.7 %define pgmajor 15 %define buildlibs 0 %define tarversion %{pgversion}