Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tCNdo-000Hox-Bf for pgsql-pkg-debian@arkaria.postgresql.org; Sat, 16 Nov 2024 18:35:27 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tCNdl-00FQbt-RG for pgsql-pkg-debian@arkaria.postgresql.org; Sat, 16 Nov 2024 18:35:26 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tCNdl-00FQbc-K8 for pgsql-pkg-debian@lists.postgresql.org; Sat, 16 Nov 2024 18:35:26 +0000 Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tCNdi-002IXC-8S for pgsql-pkg-debian@lists.postgresql.org; Sat, 16 Nov 2024 18:35:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date: Reply-To:Content-ID:Content-Description; bh=AGyM2EOxAHpwHoThlikWMAY3ELolR0oun0FFC3qkgSU=; b=iGvf3zEAmrm/nVh3UsDI2fk7fG UjBoVwsmu0e1GFvW3q8hqcKDD2v4m395qkhqlVziQXPDi4pKLt6n04RHp8HUeuTNENFZ1uxYLIdCJ uBeXXD/b0cCF2NZ5drD7jOcXzau0A/40c5d/ZwhBd8Jopk6gWYEygvXAh1XElRjK3O+2n909dfxGJ Yv2HFVG+dhOYoKRsS0TqTASB5jlNgD2LaWj23S3fvYr4Prks8MuXB1hHuGbQqMBZqgHSlzwdIcXVY /w9w8MTaIWmewExOady6USisEBl8yDmVZKjYZcP/tdNxNPECjQ3lhvYiGRamvHSIWWryW1cf516Er V7dbgvHA==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1tCNdh-004ugE-IK; Sat, 16 Nov 2024 18:35:21 +0000 Date: Sat, 16 Nov 2024 19:35:20 +0100 From: Christoph Berg To: Debian Security Team Cc: PostgreSQL in Debian Subject: Re: PostgreSQL CVE-2024-7348 today Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Debian-User: myon List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Re: Moritz Mühlenhoff > DSAs have been released, thanks! Unfortunately there is an ABI change in the last minors that has greater impact than originally planned. The effect is that some extensions need recompilation against the new version (after which they will no longer work with the old version). In Debian, timescaledb and, to a lesser extend, postgresql-16-age are affected, but both are only part of testing, not stable. (See https://qa.debian.org/excuses.php?package=postgresql-17 where the timescaledb problem shows up as regression.) A new round of releases is planned for next week to revert that part. Since we can't tell what 3rd-party extensions people are using with the Debian packages it would be prudent to release that update as a DSA update. PostgreSQL is well aware that problems like that shouldn't happen and the already existing ABI checking will be done even stricter in the future, both manually and automated. Sorry for the trouble, Christoph