From a62be834aeb899dfc2e10e3cde6d0f48ba128373 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 6 May 2024 12:27:26 -0400 Subject: [PATCH] Last-minute updates for release notes. Security: CVE-2024-4317 --- doc/src/sgml/release-16.sgml | 95 +++++++++++++++++++++++++++++++++++- 1 file changed, 94 insertions(+), 1 deletion(-) diff --git a/doc/src/sgml/release-16.sgml b/doc/src/sgml/release-16.sgml index 9f2700ee16..54860aa0e1 100644 --- a/doc/src/sgml/release-16.sgml +++ b/doc/src/sgml/release-16.sgml @@ -23,7 +23,16 @@ - However, if you are upgrading from a version earlier than 16.2, + However, a security vulnerability was found in the system + views pg_stats_ext + and pg_stats_ext_exprs, potentially allowing + authenticated database users to see data they shouldn't. If this is + of concern in your installation, follow the steps in the first + changelog entry below to rectify it. + + + + Also, if you are upgrading from a version earlier than 16.2, see . @@ -35,6 +44,90 @@ + + Restrict visibility of pg_stats_ext and + pg_stats_ext_exprs entries to the table + owner (Nathan Bossart) + + + + These views failed to hide statistics for expressions that involve + columns the accessing user does not have permission to read. View + columns such as most_common_vals might + expose security-relevant data. The potential interactions here are + not fully clear, so in the interest of erring on the side of safety, + make rows in these views visible only to the owner of the associated + table. + + + + The PostgreSQL Project thanks + Lukas Fittl for reporting this problem. + (CVE-2024-4317) + + + + By itself, this fix will only fix the behavior in newly initdb'd + database clusters. If you wish to apply this change in an existing + cluster, you will need to do the following: + + + + + + Find the SQL script fix-CVE-2024-4317.sql in + the share directory of + the PostgreSQL installation (typically + located someplace like /usr/share/postgresql/). + Be sure to use the script appropriate to + your PostgreSQL major version. + If you do not see this file, either your version is not vulnerable + (only v14–v16 are affected) or your minor version is too + old to have the fix. + + + + + + In each database of the cluster, run + the fix-CVE-2024-4317.sql script as superuser. + In psql this would look like + +\i /usr/share/postgresql/fix-CVE-2024-4317.sql + + (adjust the file path as appropriate). Any error probably indicates + that you've used the wrong script version. It will not hurt to run + the script more than once. + + + + + + Do not forget to include the template0 + and template1 databases, or the vulnerability + will still exist in databases you create later. To + fix template0, you'll need to temporarily make + it accept connections. Do that with + +ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; + + and then after fixing template0, undo it with + +ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; + + + + + + + +