summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c342538)
raw | patch | inline | side by side (parent: c342538)
| author | Tom Lane <tgl@sss.pgh.pa.us> | |
| Mon, 6 May 2024 16:27:27 +0000 (12:27 -0400) | ||
| committer | Tom Lane <tgl@sss.pgh.pa.us> | |
| Mon, 6 May 2024 16:27:27 +0000 (12:27 -0400) |
Security: CVE-2024-4317
| doc/src/sgml/release-14.sgml | patch | blob | blame | history |
index a03163f4f8c0b4a8661c2940171065a9c2ec3a31..53f6ced486ec0e4a021ce4ca2f0604257d1e2642 100644 (file)
</para>
<para>
- However, if you are upgrading from a version earlier than 14.11,
+ However, a security vulnerability was found in the system
+ views <structname>pg_stats_ext</structname>
+ and <structname>pg_stats_ext_exprs</structname>, potentially allowing
+ authenticated database users to see data they shouldn't. If this is
+ of concern in your installation, follow the steps in the first
+ changelog entry below to rectify it.
+ </para>
+
+ <para>
+ Also, if you are upgrading from a version earlier than 14.11,
see <xref linkend="release-14-11"/>.
</para>
</sect2>
<listitem>
<!--
+Author: Nathan Bossart <nathan@postgresql.org>
+Branch: master [521a7156a] 2024-05-06 09:00:00 -0500
+Branch: REL_16_STABLE [2485a85e9] 2024-05-06 09:00:07 -0500
+Branch: REL_15_STABLE [9cc2b6289] 2024-05-06 09:00:13 -0500
+Branch: REL_14_STABLE [c3425383b] 2024-05-06 09:00:19 -0500
+-->
+ <para>
+ Restrict visibility of <structname>pg_stats_ext</structname> and
+ <structname>pg_stats_ext_exprs</structname> entries to the table
+ owner (Nathan Bossart)
+ </para>
+
+ <para>
+ These views failed to hide statistics for expressions that involve
+ columns the accessing user does not have permission to read. View
+ columns such as <structfield>most_common_vals</structfield> might
+ expose security-relevant data. The potential interactions here are
+ not fully clear, so in the interest of erring on the side of safety,
+ make rows in these views visible only to the owner of the associated
+ table.
+ </para>
+
+ <para>
+ The <productname>PostgreSQL</productname> Project thanks
+ Lukas Fittl for reporting this problem.
+ (CVE-2024-4317)
+ </para>
+
+ <para>
+ By itself, this fix will only fix the behavior in newly initdb'd
+ database clusters. If you wish to apply this change in an existing
+ cluster, you will need to do the following:
+ </para>
+
+ <procedure>
+ <step>
+ <para>
+ Find the SQL script <filename>fix-CVE-2024-4317.sql</filename> in
+ the <replaceable>share</replaceable> directory of
+ the <productname>PostgreSQL</productname> installation (typically
+ located someplace like <filename>/usr/share/postgresql/</filename>).
+ Be sure to use the script appropriate to
+ your <productname>PostgreSQL</productname> major version.
+ If you do not see this file, either your version is not vulnerable
+ (only v14–v16 are affected) or your minor version is too
+ old to have the fix.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ In <emphasis>each</emphasis> database of the cluster, run
+ the <filename>fix-CVE-2024-4317.sql</filename> script as superuser.
+ In <application>psql</application> this would look like
+<programlisting>
+\i /usr/share/postgresql/fix-CVE-2024-4317.sql
+</programlisting>
+ (adjust the file path as appropriate). Any error probably indicates
+ that you've used the wrong script version. It will not hurt to run
+ the script more than once.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Do not forget to include the <literal>template0</literal>
+ and <literal>template1</literal> databases, or the vulnerability
+ will still exist in databases you create later. To
+ fix <literal>template0</literal>, you'll need to temporarily make
+ it accept connections. Do that with
+<programlisting>
+ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
+</programlisting>
+ and then after fixing <literal>template0</literal>, undo it with
+<programlisting>
+ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
+</programlisting>
+ </para>
+ </step>
+ </procedure>
+ </listitem>
+
+ <listitem>
+<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [b4a71cf65] 2024-03-14 14:57:16 -0400
Branch: REL_16_STABLE [52898c63e] 2024-03-14 14:57:16 -0400