Postgres Pro
Downloads
Home   >   mailing lists

Thread: Re: PostgreSQL CVE-2024-7348 today

Re: PostgreSQL CVE-2024-7348 today

From
Christoph Berg
Date:
Re: Moritz Mühlenhoff
> DSAs have been released, thanks!

Unfortunately there is an ABI change in the last minors that has
greater impact than originally planned.

The effect is that some extensions need recompilation against the new
version (after which they will no longer work with the old version).
In Debian, timescaledb and, to a lesser extend, postgresql-16-age are
affected, but both are only part of testing, not stable.

(See https://qa.debian.org/excuses.php?package=postgresql-17 where the
timescaledb problem shows up as regression.)

A new round of releases is planned for next week to revert that part.

Since we can't tell what 3rd-party extensions people are using with
the Debian packages it would be prudent to release that update as a
DSA update.

PostgreSQL is well aware that problems like that shouldn't happen and
the already existing ABI checking will be done even stricter in the
future, both manually and automated.

Sorry for the trouble,
Christoph

PostgreSQL security updates are re-wrapped

From
Christoph Berg
Date:
(I replied to the wrong old mail, the issue is in the current minor
releases, released 2024-11-14.)

Re: To Debian Security Team
> Re: Moritz Mühlenhoff
> > DSAs have been released, thanks!
> 
> Unfortunately there is an ABI change in the last minors that has
> greater impact than originally planned.
> 
> The effect is that some extensions need recompilation against the new
> version (after which they will no longer work with the old version).
> In Debian, timescaledb and, to a lesser extend, postgresql-16-age are
> affected, but both are only part of testing, not stable.
> 
> (See https://qa.debian.org/excuses.php?package=postgresql-17 where the
> timescaledb problem shows up as regression.)
> 
> A new round of releases is planned for next week to revert that part.
> 
> Since we can't tell what 3rd-party extensions people are using with
> the Debian packages it would be prudent to release that update as a
> DSA update.
> 
> PostgreSQL is well aware that problems like that shouldn't happen and
> the already existing ABI checking will be done even stricter in the
> future, both manually and automated.
> 
> Sorry for the trouble,
> Christoph

Christoph

Re: PostgreSQL CVE-2024-7348 today

From
Moritz Mühlenhoff
Date:
On Sat, Nov 16, 2024 at 07:35:20PM +0100, Christoph Berg wrote:
> Re: Moritz Mühlenhoff
> > DSAs have been released, thanks!
> 
> Unfortunately there is an ABI change in the last minors that has
> greater impact than originally planned.
> 
> The effect is that some extensions need recompilation against the new
> version (after which they will no longer work with the old version).
> In Debian, timescaledb and, to a lesser extend, postgresql-16-age are
> affected, but both are only part of testing, not stable.
> 
> (See https://qa.debian.org/excuses.php?package=postgresql-17 where the
> timescaledb problem shows up as regression.)
> 
> A new round of releases is planned for next week to revert that part.
> 
> Since we can't tell what 3rd-party extensions people are using with
> the Debian packages it would be prudent to release that update as a
> DSA update.
> 
> PostgreSQL is well aware that problems like that shouldn't happen and
> the already existing ABI checking will be done even stricter in the
> future, both manually and automated.

Ok, no problem. We'll release that revised update via bookworm-security
as well, then.

Cheers,
        Moritz

postgresql-15 (15.10-0+deb12u1) and a fix for CVE-2024-10978

From
Christoph Berg
Date:
Re: Moritz Mühlenhoff
> Ok, no problem. We'll release that revised update via bookworm-security
> as well, then.

Hi,

new PG15 uploaded:

postgresql-15 (15.10-0+deb12u1) bookworm-security; urgency=medium

  * New upstream version 15.10.

    + Repair ABI break for extensions that work with struct ResultRelInfo

      Last week's minor releases unintentionally broke binary compatibility
      with timescaledb and several other extensions.  Restore the affected
      structure to its previous size, so that such extensions need not be
      rebuilt.

    + Restore functionality of ALTER {ROLE|DATABASE} SET role

      The fix for CVE-2024-10978 accidentally caused settings for role to not
      be applied if they come from non-interactive sources, including previous
      ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.

 -- Christoph Berg <myon@debian.org>  Tue, 19 Nov 2024 15:36:12 +0100


Christoph

Re: postgresql-15 (15.10-0+deb12u1) and a fix for CVE-2024-10978

From
Moritz Mühlenhoff
Date:
On Thu, Nov 21, 2024 at 12:51:30PM +0100, Christoph Berg wrote:
> Re: Moritz Mühlenhoff
> > Ok, no problem. We'll release that revised update via bookworm-security
> > as well, then.
> 
> Hi,
> 
> new PG15 uploaded:
> 
> postgresql-15 (15.10-0+deb12u1) bookworm-security; urgency=medium

Thanks, update has been released.

Cheers,
        Moritz