[ubuntu/questing-proposed] postgresql-17 17.6-1 (Accepted)

[Jeremy Bícha]

postgresql-17 (17.6-1) unstable; urgency=medium

  * New upstream version 17.6.

    + Tighten security checks in planner estimation functions (Dean Rasheed)

      The fix for CVE-2017-7484, plus followup fixes, intended to prevent
      leaky functions from being applied to statistics data for columns that
      the calling user does not have permission to read.  Two gaps in that
      protection have been found.  One gap applies to partitioning and
      inheritance hierarchies where RLS policies on the tables should restrict
      access to statistics data, but did not.

      The other gap applies to cases where the query accesses a table via a
      view, and the view owner has permissions to read the underlying table
      but the calling user does not have permissions on the view. The view
      owner's permissions satisfied the security checks, and the leaky
      function would get applied to the underlying table's statistics before
      we check the calling user's permissions on the view.  This has been
      fixed by making security checks on views occur at the start of planning.
      That might cause permissions failures to occur earlier than before.

      The PostgreSQL Project thanks Dean Rasheed for reporting this problem.
      (CVE-2025-8713)

    + Prevent pg_dump scripts from being used to attack the user running the
      restore (Nathan Bossart)

      Since dump/restore operations typically involve running SQL commands as
      superuser, the target database installation must trust the source
      server.  However, it does not follow that the operating system user who
      executes psql to perform the restore should have to trust the source
      server.  The risk here is that an attacker who has gained
      superuser-level control over the source server might be able to cause it
      to emit text that would be interpreted as psql meta-commands. That would
      provide shell-level access to the restoring user's own account,
      independently of access to the target database.

      To provide a positive guarantee that this can't happen, extend psql with
      a \restrict command that prevents execution of further meta-commands,
      and teach pg_dump to issue that before any data coming from the source
      server.

      The PostgreSQL Project thanks Martin Rakhmanov, Matthieu Denais, and
      RyotaK for reporting this problem. (CVE-2025-8714)

    + Convert newlines to spaces in names included in comments in pg_dump
      output (Noah Misch)

      Object names containing newlines offered the ability to inject arbitrary
      SQL commands into the output script.  (Without the preceding fix,
      injection of psql meta-commands would also be possible this way.)
      CVE-2012-0868 fixed this class of problem at the time, but later work
      reintroduced several cases.

      The PostgreSQL Project thanks Noah Misch for reporting this problem.
      (CVE-2025-8715)

  * Add Turkish debconf translation by Atila KOÇ, thanks! (Closes: #1107984)
  * Drop hurd-iovec patch, implemented upstream.
  * Drop obsolete patches: focal-arm64-outline-atomics, jit-s390x.

Date: 2025-08-14 16:47:24.432051+00:00
Signed-By: Jeremy Bícha <jbicha at ubuntu.com>
https://launchpad.net/ubuntu/+source/postgresql-17/17.6-1
-------------- next part --------------
Sorry, changesfile not available.