mirror of
https://git.FreeBSD.org/ports.git
synced 2024-10-18 19:49:40 +00:00
3fd6f200dc
The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 15.3, 14.8, 13.11, 12.15, and 11.20. This release fixes two security vulnerabilities over 80 bugs reported over the last several months. CVE-2023-2454: CREATE SCHEMA ... schema_element defeats protective search_path changes. This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users. CVE-2023-2455: Row security policies disregard user ID changes after inlining. While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. Security: fbb5a260-f00f-11ed-bbae-6cc21735f730 Security: 4b636f50-f011-11ed-bbae-6cc21735f730 Release-notes: https://www.postgresql.org/docs/release/ |
||
|---|---|---|
| .. | ||
| files | ||
| distinfo | ||
| Makefile | ||
| pkg-descr | ||
| pkg-install-server | ||
| pkg-plist-client | ||
| pkg-plist-contrib | ||
| pkg-plist-plperl | ||
| pkg-plist-plpython | ||
| pkg-plist-pltcl | ||
| pkg-plist-server | ||