mirror of
https://github.com/postgres/postgres.git
synced 2025-05-03 22:24:49 +03:00
Last-minute updates for release notes.
Security: CVE-2024-4317
This commit is contained in:
Tom Lane
parent
9cc2b62894
commit
7b2ac0f603
@ -23,7 +23,16 @@
|
|||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
However, if you are upgrading from a version earlier than 15.6,
|
However, a security vulnerability was found in the system
|
||||||
|
views <structname>pg_stats_ext</structname>
|
||||||
|
and <structname>pg_stats_ext_exprs</structname>, potentially allowing
|
||||||
|
authenticated database users to see data they shouldn't. If this is
|
||||||
|
of concern in your installation, follow the steps in the first
|
||||||
|
changelog entry below to rectify it.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
Also, if you are upgrading from a version earlier than 15.6,
|
||||||
see <xref linkend="release-15-6"/>.
|
see <xref linkend="release-15-6"/>.
|
||||||
</para>
|
</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
@ -35,6 +44,90 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<!--
|
<!--
|
||||||
|
Author: Nathan Bossart <nathan@postgresql.org>
|
||||||
|
Branch: master [521a7156a] 2024-05-06 09:00:00 -0500
|
||||||
|
Branch: REL_16_STABLE [2485a85e9] 2024-05-06 09:00:07 -0500
|
||||||
|
Branch: REL_15_STABLE [9cc2b6289] 2024-05-06 09:00:13 -0500
|
||||||
|
Branch: REL_14_STABLE [c3425383b] 2024-05-06 09:00:19 -0500
|
||||||
|
-->
|
||||||
|
<para>
|
||||||
|
Restrict visibility of <structname>pg_stats_ext</structname> and
|
||||||
|
<structname>pg_stats_ext_exprs</structname> entries to the table
|
||||||
|
owner (Nathan Bossart)
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
These views failed to hide statistics for expressions that involve
|
||||||
|
columns the accessing user does not have permission to read. View
|
||||||
|
columns such as <structfield>most_common_vals</structfield> might
|
||||||
|
expose security-relevant data. The potential interactions here are
|
||||||
|
not fully clear, so in the interest of erring on the side of safety,
|
||||||
|
make rows in these views visible only to the owner of the associated
|
||||||
|
table.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
The <productname>PostgreSQL</productname> Project thanks
|
||||||
|
Lukas Fittl for reporting this problem.
|
||||||
|
(CVE-2024-4317)
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
By itself, this fix will only fix the behavior in newly initdb'd
|
||||||
|
database clusters. If you wish to apply this change in an existing
|
||||||
|
cluster, you will need to do the following:
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<procedure>
|
||||||
|
<step>
|
||||||
|
<para>
|
||||||
|
Find the SQL script <filename>fix-CVE-2024-4317.sql</filename> in
|
||||||
|
the <replaceable>share</replaceable> directory of
|
||||||
|
the <productname>PostgreSQL</productname> installation (typically
|
||||||
|
located someplace like <filename>/usr/share/postgresql/</filename>).
|
||||||
|
Be sure to use the script appropriate to
|
||||||
|
your <productname>PostgreSQL</productname> major version.
|
||||||
|
If you do not see this file, either your version is not vulnerable
|
||||||
|
(only v14–v16 are affected) or your minor version is too
|
||||||
|
old to have the fix.
|
||||||
|
</para>
|
||||||
|
</step>
|
||||||
|
|
||||||
|
<step>
|
||||||
|
<para>
|
||||||
|
In <emphasis>each</emphasis> database of the cluster, run
|
||||||
|
the <filename>fix-CVE-2024-4317.sql</filename> script as superuser.
|
||||||
|
In <application>psql</application> this would look like
|
||||||
|
<programlisting>
|
||||||
|
\i /usr/share/postgresql/fix-CVE-2024-4317.sql
|
||||||
|
</programlisting>
|
||||||
|
(adjust the file path as appropriate). Any error probably indicates
|
||||||
|
that you've used the wrong script version. It will not hurt to run
|
||||||
|
the script more than once.
|
||||||
|
</para>
|
||||||
|
</step>
|
||||||
|
|
||||||
|
<step>
|
||||||
|
<para>
|
||||||
|
Do not forget to include the <literal>template0</literal>
|
||||||
|
and <literal>template1</literal> databases, or the vulnerability
|
||||||
|
will still exist in databases you create later. To
|
||||||
|
fix <literal>template0</literal>, you'll need to temporarily make
|
||||||
|
it accept connections. Do that with
|
||||||
|
<programlisting>
|
||||||
|
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
|
||||||
|
</programlisting>
|
||||||
|
and then after fixing <literal>template0</literal>, undo it with
|
||||||
|
<programlisting>
|
||||||
|
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
|
||||||
|
</programlisting>
|
||||||
|
</para>
|
||||||
|
</step>
|
||||||
|
</procedure>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<!--
|
||||||
Author: Tom Lane <tgl@sss.pgh.pa.us>
|
Author: Tom Lane <tgl@sss.pgh.pa.us>
|
||||||
Branch: master [b4a71cf65] 2024-03-14 14:57:16 -0400
|
Branch: master [b4a71cf65] 2024-03-14 14:57:16 -0400
|
||||||
Branch: REL_16_STABLE [52898c63e] 2024-03-14 14:57:16 -0400
|
Branch: REL_16_STABLE [52898c63e] 2024-03-14 14:57:16 -0400
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user