rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Last-minute updates for release notes. 

Security: CVE-2024-4317
This commit is contained in:
Tom Lane 2024-05-06 12:27:26 -04:00
parent 2485a85e96
commit a62be834ae
1 changed files with 94 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
doc/src/sgml/release-16.sgml
View File

@ -23,7 +23,16 @@
</para>
<para>
However, if you are upgrading from a version earlier than 16.2,
However, a security vulnerability was found in the system
views <structname>pg_stats_ext</structname>
and <structname>pg_stats_ext_exprs</structname>, potentially allowing
authenticated database users to see data they shouldn't. If this is
of concern in your installation, follow the steps in the first
changelog entry below to rectify it.
</para>
<para>
Also, if you are upgrading from a version earlier than 16.2,
see <xref linkend="release-16-2"/>.
</para>
</sect2>
@ -35,6 +44,90 @@
<listitem>
<!--
Author: Nathan Bossart <nathan@postgresql.org>
Branch: master [521a7156a] 2024-05-06 09:00:00 -0500
Branch: REL_16_STABLE [2485a85e9] 2024-05-06 09:00:07 -0500
Branch: REL_15_STABLE [9cc2b6289] 2024-05-06 09:00:13 -0500
Branch: REL_14_STABLE [c3425383b] 2024-05-06 09:00:19 -0500
-->
<para>
Restrict visibility of <structname>pg_stats_ext</structname> and
<structname>pg_stats_ext_exprs</structname> entries to the table
owner (Nathan Bossart)
</para>
<para>
These views failed to hide statistics for expressions that involve
columns the accessing user does not have permission to read. View
columns such as <structfield>most_common_vals</structfield> might
expose security-relevant data. The potential interactions here are
not fully clear, so in the interest of erring on the side of safety,
make rows in these views visible only to the owner of the associated
table.
</para>
<para>
The <productname>PostgreSQL</productname> Project thanks
Lukas Fittl for reporting this problem.
(CVE-2024-4317)
</para>
<para>
By itself, this fix will only fix the behavior in newly initdb'd
database clusters. If you wish to apply this change in an existing
cluster, you will need to do the following:
</para>
<procedure>
<step>
<para>
Find the SQL script <filename>fix-CVE-2024-4317.sql</filename> in
the <replaceable>share</replaceable> directory of
the <productname>PostgreSQL</productname> installation (typically
located someplace like <filename>/usr/share/postgresql/</filename>).
Be sure to use the script appropriate to
your <productname>PostgreSQL</productname> major version.
If you do not see this file, either your version is not vulnerable
(only v14&ndash;v16 are affected) or your minor version is too
old to have the fix.
</para>
</step>
<step>
<para>
In <emphasis>each</emphasis> database of the cluster, run
the <filename>fix-CVE-2024-4317.sql</filename> script as superuser.
In <application>psql</application> this would look like
<programlisting>
\i /usr/share/postgresql/fix-CVE-2024-4317.sql
</programlisting>
(adjust the file path as appropriate). Any error probably indicates
that you've used the wrong script version. It will not hurt to run
the script more than once.
</para>
</step>
<step>
<para>
Do not forget to include the <literal>template0</literal>
and <literal>template1</literal> databases, or the vulnerability
will still exist in databases you create later. To
fix <literal>template0</literal>, you'll need to temporarily make
it accept connections. Do that with
<programlisting>
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
</programlisting>
and then after fixing <literal>template0</literal>, undo it with
<programlisting>
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
</programlisting>
</para>
</step>
</procedure>
</listitem>
<listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [b4a71cf65] 2024-03-14 14:57:16 -0400
Branch: REL_16_STABLE [52898c63e] 2024-03-14 14:57:16 -0400