public inbox for [email protected]
help / color / mirror / Atom feedRe: PostgreSQL CVE-2024-7348 today
5+ messages / 2 participants
[nested] [flat]
* Re: PostgreSQL CVE-2024-7348 today
@ 2024-11-16 18:35 Christoph Berg <[email protected]>
0 siblings, 2 replies; 5+ messages in thread
From: Christoph Berg @ 2024-11-16 18:35 UTC (permalink / raw)
To: Debian Security Team <[email protected]>; +Cc: PostgreSQL in Debian <[email protected]>
Re: Moritz Mühlenhoff
> DSAs have been released, thanks!
Unfortunately there is an ABI change in the last minors that has
greater impact than originally planned.
The effect is that some extensions need recompilation against the new
version (after which they will no longer work with the old version).
In Debian, timescaledb and, to a lesser extend, postgresql-16-age are
affected, but both are only part of testing, not stable.
(See https://qa.debian.org/excuses.php?package=postgresql-17 where the
timescaledb problem shows up as regression.)
A new round of releases is planned for next week to revert that part.
Since we can't tell what 3rd-party extensions people are using with
the Debian packages it would be prudent to release that update as a
DSA update.
PostgreSQL is well aware that problems like that shouldn't happen and
the already existing ABI checking will be done even stricter in the
future, both manually and automated.
Sorry for the trouble,
Christoph
^ permalink raw reply [nested|flat] 5+ messages in thread
* PostgreSQL security updates are re-wrapped
@ 2024-11-16 18:37 Christoph Berg <[email protected]>
parent: Christoph Berg <[email protected]>
1 sibling, 0 replies; 5+ messages in thread
From: Christoph Berg @ 2024-11-16 18:37 UTC (permalink / raw)
To: Debian Security Team <[email protected]>; +Cc: PostgreSQL in Debian <[email protected]>
(I replied to the wrong old mail, the issue is in the current minor
releases, released 2024-11-14.)
Re: To Debian Security Team
> Re: Moritz Mühlenhoff
> > DSAs have been released, thanks!
>
> Unfortunately there is an ABI change in the last minors that has
> greater impact than originally planned.
>
> The effect is that some extensions need recompilation against the new
> version (after which they will no longer work with the old version).
> In Debian, timescaledb and, to a lesser extend, postgresql-16-age are
> affected, but both are only part of testing, not stable.
>
> (See https://qa.debian.org/excuses.php?package=postgresql-17 where the
> timescaledb problem shows up as regression.)
>
> A new round of releases is planned for next week to revert that part.
>
> Since we can't tell what 3rd-party extensions people are using with
> the Debian packages it would be prudent to release that update as a
> DSA update.
>
> PostgreSQL is well aware that problems like that shouldn't happen and
> the already existing ABI checking will be done even stricter in the
> future, both manually and automated.
>
> Sorry for the trouble,
> Christoph
Christoph
^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: PostgreSQL CVE-2024-7348 today
@ 2024-11-16 20:11 Moritz Mühlenhoff <[email protected]>
parent: Christoph Berg <[email protected]>
1 sibling, 1 reply; 5+ messages in thread
From: Moritz Mühlenhoff @ 2024-11-16 20:11 UTC (permalink / raw)
To: Christoph Berg <[email protected]>; +Cc: Debian Security Team <[email protected]>; PostgreSQL in Debian <[email protected]>
On Sat, Nov 16, 2024 at 07:35:20PM +0100, Christoph Berg wrote:
> Re: Moritz Mühlenhoff
> > DSAs have been released, thanks!
>
> Unfortunately there is an ABI change in the last minors that has
> greater impact than originally planned.
>
> The effect is that some extensions need recompilation against the new
> version (after which they will no longer work with the old version).
> In Debian, timescaledb and, to a lesser extend, postgresql-16-age are
> affected, but both are only part of testing, not stable.
>
> (See https://qa.debian.org/excuses.php?package=postgresql-17 where the
> timescaledb problem shows up as regression.)
>
> A new round of releases is planned for next week to revert that part.
>
> Since we can't tell what 3rd-party extensions people are using with
> the Debian packages it would be prudent to release that update as a
> DSA update.
>
> PostgreSQL is well aware that problems like that shouldn't happen and
> the already existing ABI checking will be done even stricter in the
> future, both manually and automated.
Ok, no problem. We'll release that revised update via bookworm-security
as well, then.
Cheers,
Moritz
^ permalink raw reply [nested|flat] 5+ messages in thread
* postgresql-15 (15.10-0+deb12u1) and a fix for CVE-2024-10978
@ 2024-11-21 11:51 Christoph Berg <[email protected]>
parent: Moritz Mühlenhoff <[email protected]>
0 siblings, 1 reply; 5+ messages in thread
From: Christoph Berg @ 2024-11-21 11:51 UTC (permalink / raw)
To: Moritz Mühlenhoff <[email protected]>; +Cc: Debian Security Team <[email protected]>; PostgreSQL in Debian <[email protected]>
Re: Moritz Mühlenhoff
> Ok, no problem. We'll release that revised update via bookworm-security
> as well, then.
Hi,
new PG15 uploaded:
postgresql-15 (15.10-0+deb12u1) bookworm-security; urgency=medium
* New upstream version 15.10.
+ Repair ABI break for extensions that work with struct ResultRelInfo
Last week's minor releases unintentionally broke binary compatibility
with timescaledb and several other extensions. Restore the affected
structure to its previous size, so that such extensions need not be
rebuilt.
+ Restore functionality of ALTER {ROLE|DATABASE} SET role
The fix for CVE-2024-10978 accidentally caused settings for role to not
be applied if they come from non-interactive sources, including previous
ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.
-- Christoph Berg <[email protected]> Tue, 19 Nov 2024 15:36:12 +0100
Christoph
^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: postgresql-15 (15.10-0+deb12u1) and a fix for CVE-2024-10978
@ 2024-11-21 19:24 Moritz Mühlenhoff <[email protected]>
parent: Christoph Berg <[email protected]>
0 siblings, 0 replies; 5+ messages in thread
From: Moritz Mühlenhoff @ 2024-11-21 19:24 UTC (permalink / raw)
To: Christoph Berg <[email protected]>; +Cc: Debian Security Team <[email protected]>; PostgreSQL in Debian <[email protected]>
On Thu, Nov 21, 2024 at 12:51:30PM +0100, Christoph Berg wrote:
> Re: Moritz Mühlenhoff
> > Ok, no problem. We'll release that revised update via bookworm-security
> > as well, then.
>
> Hi,
>
> new PG15 uploaded:
>
> postgresql-15 (15.10-0+deb12u1) bookworm-security; urgency=medium
Thanks, update has been released.
Cheers,
Moritz
^ permalink raw reply [nested|flat] 5+ messages in thread
end of thread, other threads:[~2024-11-21 19:24 UTC | newest]
Thread overview: 5+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2024-11-16 18:35 Re: PostgreSQL CVE-2024-7348 today Christoph Berg <[email protected]>
2024-11-16 18:37 ` PostgreSQL security updates are re-wrapped Christoph Berg <[email protected]>
2024-11-16 20:11 ` Moritz Mühlenhoff <[email protected]>
2024-11-21 11:51 ` postgresql-15 (15.10-0+deb12u1) and a fix for CVE-2024-10978 Christoph Berg <[email protected]>
2024-11-21 19:24 ` Re: postgresql-15 (15.10-0+deb12u1) and a fix for CVE-2024-10978 Moritz Mühlenhoff <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox