postgresql-17.1

[Bruce Dubbs]

New minor version.

[Bruce Dubbs]

Release notes for this version of postgresql can be found at ​https://www.postgresql.org/docs/current/release-17-1.html

[Bruce Dubbs]

Fixed at commits

b487b8d6a3 Update to postgresql-17.1.
498b77bf2d Update to fltk-1.3.10.

[Douglas R. Reno]

There were some security issues brought to oss-security which were fixed in this update.

Security Issues

CVE-2024-10976: PostgreSQL row security below e.g. subqueries disregards user ID changes

CVSS v3.1 Base Score: 4.2

Supported, Vulnerable Versions: 12 - 17.

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to 
view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed 
most interaction between row security and user ID changes. They missed cases where a 
subquery, WITH query, security invoker view, or SQL-language function references a table 
with a row-level security policy. This has the same consequences as the two earlier 
CVEs. That is to say, it leads to potentially incorrect policies being applied in cases 
where role-specific policies are used and a given query is planned under one role and 
then executed under other roles. This scenario can happen under security definer 
functions or when a common user and query is planned initially and then re-used across 
multiple SET ROLEs.

Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and 
modifications. This affects only databases that have used CREATE POLICY to define a row 
security policy. An attacker must tailor an attack to a particular application's pattern 
of query plan reuse, user ID changes, and role-specific row security policies. Versions 
before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

The PostgreSQL project thanks Wolfgang Walther for reporting this problem.

CVE-2024-10977: PostgreSQL libpq retains an error message from man-in-the-middle

CVSS v3.1 Base Score: 3.1

Supported, Vulnerable Versions: 12 - 17.

Client use of server error message in PostgreSQL allows a server not trusted under 
current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. 
For example, a man-in-the-middle attacker could send a long error message that a human 
or screen-scraper user of psql mistakes for valid query results. This is probably not a 
concern for clients where the user interface unambiguously indicates the boundary 
between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 
14.14, 13.17, and 12.21 are affected.

The PostgreSQL project thanks Jacob Champion for reporting this problem.

CVE-2024-10978: PostgreSQL SET ROLE, SET SESSION AUTHORIZATION reset to wrong user ID

CVSS v3.1 Base Score: 4.2

Supported, Vulnerable Versions: 12 - 17.

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user 
to view or change different rows from those intended. An attack requires the application 
to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises 
when an application query uses parameters from the attacker or conveys query results to 
the attacker. If that query reacts to current_setting('role') or the current user ID, it 
may modify or return data as though the session had not used SET ROLE or SET SESSION 
AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text 
from less-privileged sources is not a concern here, because SET ROLE and SET SESSION 
AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 
16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

The PostgreSQL project thanks Tom Lane for reporting this problem.

CVE-2024-10979: PostgreSQL PL/Perl environment variable changes execute arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 12 - 17.

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged 
database user to change sensitive process environment variables (e.g. PATH). That often 
suffices to enable arbitrary code execution, even if the attacker lacks a database 
server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, 
and 12.21 are affected.

The PostgreSQL project thanks Coby Abrams for reporting this problem.

[Douglas R. Reno]

No security advisory is planned until the new version comes out tomorrow that fixes regressions:

If someone in here contributes to or follows PostgreSQL development or announcements (which I normally don't), I'd appreciate if if they start bringing the relevant announcements to here. Ditto for other projects.

On Sun, Nov 17, 2024 at 12:39:27AM +0100, Solar Designer wrote:
> As announced in:
>
> https://www.postgresql.org/about/news/postgresql-171-165-159-1414-1317-and-1221-released-2955/
> https://www.postgresql.org/message-id/173159332163.1547975.13346191756810493274%40wrigleys.postgresql.org
>
> new PostgreSQL updates to all supported versions fix 4 CVEs and 35
> non-security bugs.
>
> CVE-2024-10976 PostgreSQL row security below e.g. subqueries disregards user ID changes (CVSS 4.2)
> CVE-2024-10977 PostgreSQL libpq retains an error message from man-in-the-middle (CVSS 3.1)
> CVE-2024-10978 PostgreSQL SET ROLE, SET SESSION AUTHORIZATION reset to wrong user ID (CVSS 4.2)
> CVE-2024-10979 PostgreSQL PL/Perl environment variable changes execute arbitrary code (CVSS 8.8)

Turns out these releases caused two regressions and there "is planning
for an out-of-cycle release on November 21, 2024" to address them:

https://www.postgresql.org/message-
id/173171334532.1547978.1518068370217143844%40wrigleys.postgresql.org

​https://www.postgresql.org/message-id/173171334532.1547978.1518068370217143844%40wrigleys.postgresql.org also mentions an unintentional ABI break.

[Douglas R. Reno]

SA-12.2-044 issued now that we have PostgreSQL 17.2