Ubuntu
postgresql-15 package

Change log for postgresql-15 package in Ubuntu

111 of 11 results FirstPreviousNextLast
Published in lunar-updates
Published in lunar-security 
postgresql-15 (15.4-0ubuntu0.23.04.1) lunar-security; urgency=medium

  * New upstream version (LP: #2028426).

    + A dump/restore is not required for those running 15.X.

    + However, if you use BRIN indexes, it may be advisable to reindex them.

    + Also, if you are upgrading from a version earlier than 15.1, see
      those release notes as well please.

    + Disallow substituting a schema or owner name into an extension script
      if the name contains a quote, backslash, or dollar sign (Noah Misch)

      This restriction guards against SQL-injection hazards for trusted
      extensions.
      (CVE-2023-39417)

    + Fix MERGE to enforce row security policies properly (Dean Rasheed)
      (CVE-2023-39418)

    + Fix confusion between empty (no rows) ranges and all-NULL ranges in
      BRIN indexes, as well as incorrect merging of all-NULL summaries
      (Tomas Vondra)

      Each of these oversights could result in forgetting that a BRIN
      index range contains any NULL values, potentially allowing
      subsequent queries that should return NULL values to miss doing so.

      This fix will not in itself correct faulty BRIN entries.
      It's recommended to REINDEX any BRIN indexes that
      may be used to search for nulls.

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/15/release-15-4.html.

 -- Athos Ribeiro <email address hidden>  Wed, 09 Aug 2023 09:00:47 -0300
Published in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic) 
postgresql-15 (15.4-1ubuntu1) mantic; urgency=medium

  * d/control: pin llvm-15 build dependencies. (LP: #2029498)

 -- Athos Ribeiro <email address hidden>  Thu, 10 Aug 2023 20:53:01 -0300
Superseded in mantic-proposed 
postgresql-15 (15.4-1) unstable; urgency=medium

  * New upstream version.

    + Disallow substituting a schema or owner name into an extension script if
      the name contains a quote, backslash, or dollar sign (Noah Misch)

      This restriction guards against SQL-injection hazards for trusted
      extensions.

      The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim
      Carey-Smith, and Christoph Berg for reporting this problem.
      (CVE-2023-39417)

    + Fix MERGE to enforce row security policies properly (Dean Rasheed)

      When MERGE performs an UPDATE action, it should enforce any UPDATE or
      SELECT RLS policies defined on the target table, to be consistent with
      the way that a plain UPDATE with a WHERE clause works.  Instead it was
      enforcing INSERT RLS policies for both INSERT and UPDATE actions.

      In addition, when MERGE performs a DO NOTHING action, it applied the
      target table's DELETE RLS policies to existing rows, even though those
      rows are not being deleted.  While it's not a security problem, this
      could result in unwanted errors.

      The PostgreSQL Project thanks Dean Rasheed for reporting this problem.
      (CVE-2023-39418)

  * Test-Depend on tzdata-legacy | tzdata (<< 2023c-8).

 -- Christoph Berg <email address hidden>  Tue, 08 Aug 2023 10:10:20 +0200

Available diffs

Superseded in lunar-updates
Superseded in lunar-security 
postgresql-15 (15.3-0ubuntu0.23.04.1) lunar-security; urgency=medium

  * New upstream version (LP: #2019214).

    + A dump/restore is not required for those running 15.X.

    + Also, if you are upgrading from a version earlier than 15.1, see
      those release notes as well please.

    + Prevent CREATE SCHEMA from defeating changes in search_path
      (Alexander Lakhin)

      Within a CREATE SCHEMA command, objects in the prevailing
      search_path, as well as those in the newly-created schema, would be
      visible even within a called function or script that attempted to set
      a secure search_path. This could allow any user having permission to
      create a schema to hijack the privileges of a security definer
      function or extension script.
      (CVE-2023-2454)

    + Enforce row-level security policies correctly after inlining a
      set-returning function (Stephen Frost, Tom Lane)

      If a set-returning SQL-language function refers to a table having
      row-level security policies, and it can be inlined into a calling
      query, those RLS policies would not get enforced properly in some
      cases involving re-using a cached plan under a different role. This
      could allow a user to see or modify rows that should have been
      invisible.
      (CVE-2023-2455)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/15/release-15-3.html.

 -- Sergio Durigan Junior <email address hidden>  Thu, 11 May 2023 16:24:27 -0400
Superseded in mantic-proposed 
postgresql-15 (15.3-0+deb12u1) unstable; urgency=medium

  * New upstream version.

    + Prevent CREATE SCHEMA from defeating changes in search_path
      (Report and fix by Alexander Lakhin, CVE-2023-2454)

      Within a CREATE SCHEMA command, objects in the prevailing search_path,
      as well as those in the newly-created schema, would be visible even
      within a called function or script that attempted to set a secure
      search_path.  This could allow any user having permission to create a
      schema to hijack the privileges of a security definer function or
      extension script.

    + Enforce row-level security policies correctly after inlining a
      set-returning function (Report by Wolfgang Walther, CVE-2023-2455)

      If a set-returning SQL-language function refers to a table having
      row-level security policies, and it can be inlined into a calling query,
      those RLS policies would not get enforced properly in some cases
      involving re-using a cached plan under a different role. This could
      allow a user to see or modify rows that should have been invisible.

 -- Christoph Berg <email address hidden>  Tue, 09 May 2023 19:05:02 +0200

Available diffs

Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic) 
postgresql-15 (15.3-1) experimental; urgency=medium

  * New upstream version.

    + Prevent CREATE SCHEMA from defeating changes in search_path
      (Report and fix by Alexander Lakhin, CVE-2023-2454)

      Within a CREATE SCHEMA command, objects in the prevailing search_path,
      as well as those in the newly-created schema, would be visible even
      within a called function or script that attempted to set a secure
      search_path.  This could allow any user having permission to create a
      schema to hijack the privileges of a security definer function or
      extension script.

    + Enforce row-level security policies correctly after inlining a
      set-returning function (Report by Wolfgang Walther, CVE-2023-2455)

      If a set-returning SQL-language function refers to a table having
      row-level security policies, and it can be inlined into a calling query,
      those RLS policies would not get enforced properly in some cases
      involving re-using a cached plan under a different role. This could
      allow a user to see or modify rows that should have been invisible.

  * Reenable JIT on s390x using workaround patch from SUSE.

 -- Christoph Berg <email address hidden>  Tue, 09 May 2023 19:05:02 +0200
Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic) 
postgresql-15 (15.2-2) unstable; urgency=medium

  * Add Romanian debconf translation, mulțumesc Remus-Gabriel Chelu!
  * Fix update-alternatives when doc package is installed stand-alone.

 -- Christoph Berg <email address hidden>  Mon, 27 Feb 2023 10:30:23 +0100

Available diffs

Superseded in mantic-release
Published in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar) 
postgresql-15 (15.2-1) unstable; urgency=medium

  * New upstream version.

    + libpq can leak memory contents after GSSAPI transport encryption
      initiation fails (Jacob Champion)

      A modified server, or an unauthenticated man-in-the-middle, can send a
      not-zero-terminated error message during setup of GSSAPI (Kerberos)
      transport encryption.  libpq will then copy that string, as well as
      following bytes in application memory up to the next zero byte, to its
      error report. Depending on what the calling application does with the
      error report, this could result in disclosure of application memory
      contents.  There is also a small probability of a crash due to reading
      beyond the end of memory.  Fix by properly zero-terminating the server
      message. (CVE-2022-41862)

 -- Christoph Berg <email address hidden>  Tue, 07 Feb 2023 14:57:10 +0100
Superseded in lunar-proposed 
postgresql-15 (15.1-1build2) lunar; urgency=medium

  * Rebuild against latest icu

 -- Jeremy Bicha <email address hidden>  Sun, 05 Feb 2023 08:43:02 -0500

Available diffs

Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar) 
postgresql-15 (15.1-1build1) lunar; urgency=medium

  * No-change rebuild with Python 3.11 as default

 -- Graham Inggs <email address hidden>  Mon, 26 Dec 2022 10:03:07 +0000

Available diffs

Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar)
Superseded in lunar-proposed 
postgresql-15 (15.1-1) unstable; urgency=medium

  * New upstream version.

 -- Christoph Berg <email address hidden>  Tue, 08 Nov 2022 10:59:12 +0100
111 of 11 results FirstPreviousNextLast