[Buildroot] [PATCH 1/1] package/postgresql: security bump to version 17.6
Maxim Kochetkov
fido_max at inbox.ru
Fri Sep 19 07:23:49 UTC 2025
Fixes the following security issue:
CVE-2025-8713: PostgreSQL optimizer statistics can expose sampled data
within a view, partition, or child table
PostgreSQL optimizer statistics allow a user to read sampled data within
a view that the user cannot access. Separately, statistics allow a user
to read sampled data that a row security policy intended to hide.
PostgreSQL maintains statistics for tables by sampling data available in
columns; this data is consulted during the query planning process. Prior
to this release, a user could craft a leaky operator that bypassed view
access control lists (ACLs) and bypassed row security policies in
partitioning or table inheritance hierarchies. Reachable statistics data
notably included histograms and most- common-values lists. CVE-2017-7484
and CVE-2019-10130 intended to close this class of vulnerability, but
this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19,
and 13.22 are affected.
CVE-2025-8714: PostgreSQL pg_dump lets superuser of origin server execute
arbitrary code in psql client
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious
superuser of the origin server to inject arbitrary code for restore-time
execution as the client operating system account running psql to restore
the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore
is affected when used to generate a plain-format dump. This is similar to
MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14,
14.19, and 13.22 are affected.
CVE-2025-8715: PostgreSQL pg_dump newline in object name executes
arbitrary code in psql client and in restore target server
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user
of the origin server to inject arbitrary code for restore-time execution
as the client operating system account running psql to restore the dump,
via psql meta-commands inside a purpose-crafted object name. The same
attacks can achieve SQL injection as a superuser of the restore target
server. pg_dumpall, pg_restore, and pg_upgrade are also affected.
Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class
of problem, but version 11.20 reintroduced it.
https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/
Signed-off-by: Maxim Kochetkov <fido_max at inbox.ru>
---
package/postgresql/postgresql.hash | 6 +++---
package/postgresql/postgresql.mk | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/postgresql/postgresql.hash b/package/postgresql/postgresql.hash
index f17d4ca3ce..3b5e773c65 100644
--- a/package/postgresql/postgresql.hash
+++ b/package/postgresql/postgresql.hash
@@ -1,4 +1,4 @@
-# From https://ftp.postgresql.org/pub/source/v17.5/postgresql-17.5.tar.bz2.sha256
-sha256 fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8 postgresql-17.5.tar.bz2
+# From https://ftp.postgresql.org/pub/source/v17.6/postgresql-17.6.tar.bz2.sha256
+sha256 e0630a3600aea27511715563259ec2111cd5f4353a4b040e0be827f94cd7a8b0 postgresql-17.6.tar.bz2
# License file, Locally calculated
-sha256 e3822c4797fadcab31a3fc73f75c28ac20c73d72b565da91e9974cf9398ef4d2 COPYRIGHT
+sha256 5ed3ce5c9373dff7f98b1fae7a6c7ccd98df7d734d46d24c1bcebf1240be8307 COPYRIGHT
diff --git a/package/postgresql/postgresql.mk b/package/postgresql/postgresql.mk
index 671bd30347..31d0068328 100644
--- a/package/postgresql/postgresql.mk
+++ b/package/postgresql/postgresql.mk
@@ -4,7 +4,7 @@
#
################################################################################
-POSTGRESQL_VERSION = 17.5
+POSTGRESQL_VERSION = 17.6
POSTGRESQL_SOURCE = postgresql-$(POSTGRESQL_VERSION).tar.bz2
POSTGRESQL_SITE = https://ftp.postgresql.org/pub/source/v$(POSTGRESQL_VERSION)
POSTGRESQL_LICENSE = PostgreSQL
--
2.51.0
More information about the buildroot
mailing list