[Buildroot] [PATCH 1/1] package/postgresql: security bump to version 17.6

Julien Olivain ju.o at free.fr
Fri Sep 19 17:33:25 UTC 2025 

On 19/09/2025 09:23, Maxim Kochetkov via buildroot wrote:
> Fixes the following security issue:
> 
> CVE-2025-8713: PostgreSQL optimizer statistics can expose sampled data
> within a view, partition, or child table
> 
> PostgreSQL optimizer statistics allow a user to read sampled data 
> within
> a view that the user cannot access. Separately, statistics allow a user
> to read sampled data that a row security policy intended to hide.
> PostgreSQL maintains statistics for tables by sampling data available 
> in
> columns; this data is consulted during the query planning process. 
> Prior
> to this release, a user could craft a leaky operator that bypassed view
> access control lists (ACLs) and bypassed row security policies in
> partitioning or table inheritance hierarchies. Reachable statistics 
> data
> notably included histograms and most- common-values lists. 
> CVE-2017-7484
> and CVE-2019-10130 intended to close this class of vulnerability, but
> this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 
> 14.19,
> and 13.22 are affected.
> 
> CVE-2025-8714: PostgreSQL pg_dump lets superuser of origin server 
> execute
> arbitrary code in psql client
> 
> Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious
> superuser of the origin server to inject arbitrary code for 
> restore-time
> execution as the client operating system account running psql to 
> restore
> the dump, via psql meta-commands. pg_dumpall is also affected. 
> pg_restore
> is affected when used to generate a plain-format dump. This is similar 
> to
> MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14,
> 14.19, and 13.22 are affected.
> 
> CVE-2025-8715: PostgreSQL pg_dump newline in object name executes
> arbitrary code in psql client and in restore target server
> 
> Improper neutralization of newlines in pg_dump in PostgreSQL allows a 
> user
> of the origin server to inject arbitrary code for restore-time 
> execution
> as the client operating system account running psql to restore the 
> dump,
> via psql meta-commands inside a purpose-crafted object name. The same
> attacks can achieve SQL injection as a superuser of the restore target
> server. pg_dumpall, pg_restore, and pg_upgrade are also affected.
> Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are 
> affected.
> Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this 
> class
> of problem, but version 11.20 reintroduced it.
> 
> https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/
> 
> Signed-off-by: Maxim Kochetkov <fido_max at inbox.ru>

Applied to master, thanks.

More information about the buildroot mailing list