Debian alert DLA-4273-1 (postgresql-13)
| From: | Chris Lamb <lamby@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4273-1] postgresql-13 security update | |
| Date: | Thu, 14 Aug 2025 10:12:08 -0700 | |
| Message-ID: | <175518964373.292143.8671234191396420494@copycat> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4273-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb August 14, 2025 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : postgresql-13 Version : 13.22-0+deb11u1 CVE IDs : CVE-2025-8713 CVE-2025-8714 CVE-2025-8715 It was discovered that there were a number of vulnerabilities in postgresql-13, the widely-popular database management system: * CVE-2025-8713: The fix for CVE-2017-7484 (plus followup fixes), was intended to prevent leaky functions from being applied to statistics data for columns that the calling user does not have permission to read. Some gaps in that protection were found and addressed. * CVE-2025-8714: Prevent pg_dump scripts from being used to attack the user running the restore. An attacker who had gained superuser-level control over the source server might have been able to cause it to emit text that would be interpreted as psql meta-commands. * CVE-2025-8715: Convert newlines to spaces in names included in comments in pg_dump output, because names containing newlines offered the ability to inject arbitrary SQL commands into the output script. For Debian 11 bullseye, these problems have been fixed in version 13.22-0+deb11u1. Thanks to Christoph Berg (myon) for preparing this upload. We recommend that you upgrade your postgresql-13 packages. For the detailed security status of postgresql-13 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-13 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmieEYkACgkQHpU+J9Qx Hlh8pRAAshecswjGfHyiXBlzqBmf4RFCnA1gQhiq/X7gKMQh+yYc2JnSivqIBSXZ wnO2ARPveVOCEW+ZpenQmEJ7Dv4jbtHvCa49pqwDWf+n1M8l2/zwEokR3i546QdR KRltjrg4gjHi34YdtkZw86tYeA73+bO9lK89Z7aptxOZs3two9xgxzC6JEDoy0c9 nDQ/5t+cCLZEZySf8nXtEjWXO5aEEjBu4vMfzdiX06V1cxGlVwTyseQjcxcf2deb ynyfJIjWiXRfX2WXSPlQMeux+EWKGS0E5dyMRTIYIRls7GyxNeG6Bz5W00FQDQkV 9FR+zjLS1m4uzqHpRN69UQyX9KoqlF4tZVp5jj5eCHy7AKPei4dxXKCTIrpU3ybP FzAXrzm+FqmnlBXsgs+A41OoHbQm4ntf8JIbDrSAsbYK1BW6dSPF5wMewRIWba5u TWKLbV5I7jjMxsId4ZC0vI8DsyTpFibXlEWq0dkQYMy84XpybC484iYCfCnzxi9u QcxbYxhu2yx8OY5PoSL0qQ++xGGH4rUmarUHAO0pGYO5i1G2h905TM3JvTAIEhrs R7RPQk3Gf92chTNpE+hbufHDIUJcVzT6x3/Cd9ZZf7LNMxrVVhYjH9PSvF7Nbkft M45GQFEm/QotrMdnqUtK56jrQaiq1YKM7H7pHqXo9/PEhhtl9pc= =B/MQ -----END PGP SIGNATURE-----