UbuntuUpdates.org

Package "postgresql-16"

Name: postgresql-16

Description:

The World's Most Advanced Open Source Relational Database

Latest version: 16.4-0ubuntu0.24.04.1
Release: noble (24.04)
Level: security
Repository: main
Homepage: http://www.postgresql.org/

Links


Download "postgresql-16"


Other versions of "postgresql-16" in Noble

Repository Area Version
base universe 16.2-1ubuntu4
base main 16.2-1ubuntu4
security universe 16.4-0ubuntu0.24.04.1
updates main 16.4-0ubuntu0.24.04.2
updates universe 16.4-0ubuntu0.24.04.2
PPA: Postgresql 16.6-1.pgdg22.04+1
PPA: Postgresql 16.6-1.pgdg20.04+1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 16.4-0ubuntu0.24.04.1 2024-08-19 17:07:12 UTC

  postgresql-16 (16.4-0ubuntu0.24.04.1) noble-security; urgency=medium

  * New upstream version (LP: #2076183).

    + A dump/restore is not required for those running 16.X.

    + However, if you are upgrading from a version earlier than 16.3, see
      those release notes as well please.

    + Prevent unauthorized code execution during pg_dump (Masahiko Sawada)

      An attacker able to create and drop non-temporary objects could inject
      SQL code that would be executed by a concurrent pg_dump session with the
      privileges of the role running pg_dump (which is often a superuser).
      The attack involves replacing a sequence or similar object with a view
      or foreign table that will execute malicious code. To prevent this,
      introduce a new server parameter restrict_nonsystem_relation_kind that
      can disable expansion of non-builtin views as well as access to foreign
      tables, and teach pg_dump to set it when available. Note that the
      attack is prevented only if both pg_dump and the server it is dumping
      from are new enough to have this fix.

      The PostgreSQL Project thanks Noah Misch for reporting this problem.
      (CVE-2024-7348)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/16/release-16-4.html.

  * d/postgresql-16.NEWS: Update.

 -- Athos Ribeiro <email address hidden> Tue, 06 Aug 2024 15:13:57 -0300

Source diff to previous version
2076183 New upstream microreleases 12.20, 14.13, and 16.4
CVE-2024-7348 Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user ru

Version: 16.3-0ubuntu0.24.04.1 2024-05-30 14:07:16 UTC

  postgresql-16 (16.3-0ubuntu0.24.04.1) noble-security; urgency=medium

  * New upstream version (LP: #2067388).

    + A dump/restore is not required for those running 16.X.

    + However, a security vulnerability was found in the system views
      pg_stats_ext and pg_stats_ext_exprs, potentially allowing
      authenticated database users to see data they shouldn't. If this is of
      concern in your installation, follow the steps below to rectify it.

    + Also, if you are upgrading from a version earlier than 16.2, see
      those release notes as well please.

    + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries
      to the table owner (Nathan Bossart)

      These views failed to hide statistics for expressions that involve
      columns the accessing user does not have permission to read. View
      columns such as most_common_vals might expose security-relevant
      data. The potential interactions here are not fully clear, so in the
      interest of erring on the side of safety, make rows in these views
      visible only to the owner of the associated table.

      The PostgreSQL Project thanks Lukas Fittl for reporting this
      problem.

      By itself, this fix will only fix the behavior in newly initdb'd
      database clusters. If you wish to apply this change in an existing
      cluster, you will need to do the following:

        - In each database of the cluster, run the
          /usr/share/postgresql/16/fix-CVE-2024-4317.sql script as superuser. In
          psql this would look like:

            \i /usr/share/postgresql/16/fix-CVE-2024-4317.sql

          It will not hurt to run the script more than once.

        - Do not forget to include the template0 and template1 databases,
          or the vulnerability will still exist in databases you create
          later. To fix template0, you'll need to temporarily make it accept
          connections. Do that with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

          and then after fixing template0, undo it with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

      (CVE-2024-4317)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/16/release-16-3.html.

  * d/postgresql-16.NEWS: Update.

 -- Sergio Durigan Junior <email address hidden> Wed, 29 May 2024 13:16:10 -0400

2067388 New upstream microreleases 12.19, 14.12, 15.7 and 16.3
CVE-2024-4317 Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common value



About   -   Send Feedback to @ubuntu_updates