Latest Changelogs for all releases

  postgresql-15 (15.7-0ubuntu0.23.10.1) mantic-security; urgency=medium

  * New upstream version (LP: #2067388).

    + A dump/restore is not required for those running 15.X.

    + However, a security vulnerability was found in the system views
      pg_stats_ext and pg_stats_ext_exprs, potentially allowing
      authenticated database users to see data they shouldn't. If this is of
      concern in your installation, follow the steps below to rectify it.

    + Also, if you are upgrading from a version earlier than 15.6, see
      those release notes as well please.

    + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries
      to the table owner (Nathan Bossart)

      These views failed to hide statistics for expressions that involve
      columns the accessing user does not have permission to read. View
      columns such as most_common_vals might expose security-relevant
      data. The potential interactions here are not fully clear, so in the
      interest of erring on the side of safety, make rows in these views
      visible only to the owner of the associated table.

      The PostgreSQL Project thanks Lukas Fittl for reporting this
      problem.

      By itself, this fix will only fix the behavior in newly initdb'd
      database clusters. If you wish to apply this change in an existing
      cluster, you will need to do the following:

        - In each database of the cluster, run the
          /usr/share/postgresql/15/fix-CVE-2024-4317.sql script as superuser. In
          psql this would look like:

            \i /usr/share/postgresql/15/fix-CVE-2024-4317.sql

          It will not hurt to run the script more than once.

        - Do not forget to include the template0 and template1 databases,
          or the vulnerability will still exist in databases you create
          later. To fix template0, you'll need to temporarily make it accept
          connections. Do that with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

          and then after fixing template0, undo it with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

      (CVE-2024-4317)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/15/release-15-7.html.

  * d/postgresql-15.NEWS: Update.

 -- Sergio Durigan Junior <email address hidden> Tue, 28 May 2024 10:27:51 -0400

  ffmpeg (7:6.0-6ubuntu1.1) mantic-security; urgency=medium

  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2023-49502.patch: avfilter/bwdif: account for
      chroma sub-sampling in min size calculation
    - CVE-2023-49502
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2023-49528.patch: avfilter/af_dialoguenhance:
      fix overreads
    - CVE-2023-49528
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2023-50007.patch: avfilter/af_afwtdn: fix crash
      with EOF handling
    - CVE-2023-50007
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2023-50008.patch: avfilter/vf_colorcorrect: fix
      memory leaks
    - CVE-2023-50008
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2023-50009.patch: avfilter/edge_template: Fix
      small inputs with gaussian_blur()
    - CVE-2023-50009
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2023-50010.patch: avfilter/vf_gradfun: Do not
      overread last line
    - CVE-2023-50010
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2023-51793.patch: avfilter/vf_weave: Fix odd
      height handling
    - CVE-2023-51793
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2023-51794.patch: avfilter/af_stereowiden:
      Check length
    - CVE-2023-51794
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2023-51795-2024-31585.patch:
      avfilter/avf_showspectrum: fix off by 1 error
    - CVE-2023-51795
    - CVE-2024-31585
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2023-51796.patch: avfilter/f_reverse: Apply PTS
      compensation only when pts is available
    - CVE-2023-51796
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2023-51798.patch: avfilter/vf_minterpolate:
      Check pts before division
    - CVE-2023-51798
  * SECURITY UPDATE: use after free
    - debian/patches/CVE-2024-31578.patch: avutil/hwcontext: Don't
      assume frames_uninit is reentrant
    - CVE-2024-31578
  * SECURITY UPDATE: buffer overflow
    - debian/patches/CVE-2024-31582.patch: avfilter/vf_codecview: fix
      heap buffer overflow
    - CVE-2024-31582

 -- Allen Huang <email address hidden> Tue, 28 May 2024 22:52:48 +0100

  python-pymysql (1.0.2-1ubuntu1.23.10.1) mantic-security; urgency=medium

  * SECURITY UPDATE: SQL injection via untrusted JSON input
    - debian/patches/CVE-2024-36039.patch: forbid dict parameter in
      pymysql/converters.py, pymysql/tests/test_connection.py.
    - CVE-2024-36039

 -- Marc Deslauriers <email address hidden> Tue, 28 May 2024 13:33:51 -0400

  postgresql-15 (15.7-0ubuntu0.23.10.1) mantic-security; urgency=medium

  * New upstream version (LP: #2067388).

    + A dump/restore is not required for those running 15.X.

    + However, a security vulnerability was found in the system views
      pg_stats_ext and pg_stats_ext_exprs, potentially allowing
      authenticated database users to see data they shouldn't. If this is of
      concern in your installation, follow the steps below to rectify it.

    + Also, if you are upgrading from a version earlier than 15.6, see
      those release notes as well please.

    + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries
      to the table owner (Nathan Bossart)

      These views failed to hide statistics for expressions that involve
      columns the accessing user does not have permission to read. View
      columns such as most_common_vals might expose security-relevant
      data. The potential interactions here are not fully clear, so in the
      interest of erring on the side of safety, make rows in these views
      visible only to the owner of the associated table.

      The PostgreSQL Project thanks Lukas Fittl for reporting this
      problem.

      By itself, this fix will only fix the behavior in newly initdb'd
      database clusters. If you wish to apply this change in an existing
      cluster, you will need to do the following:

        - In each database of the cluster, run the
          /usr/share/postgresql/15/fix-CVE-2024-4317.sql script as superuser. In
          psql this would look like:

            \i /usr/share/postgresql/15/fix-CVE-2024-4317.sql

          It will not hurt to run the script more than once.

        - Do not forget to include the template0 and template1 databases,
          or the vulnerability will still exist in databases you create
          later. To fix template0, you'll need to temporarily make it accept
          connections. Do that with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

          and then after fixing template0, undo it with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

      (CVE-2024-4317)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/15/release-15-7.html.

  * d/postgresql-15.NEWS: Update.

 -- Sergio Durigan Junior <email address hidden> Tue, 28 May 2024 10:27:51 -0400

  postgresql-14 (14.12-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * New upstream version (LP: #2067388).

    + A dump/restore is not required for those running 14.X.

    + However, a security vulnerability was found in the system views
      pg_stats_ext and pg_stats_ext_exprs, potentially allowing
      authenticated database users to see data they shouldn't. If this is of
      concern in your installation, follow the steps below to rectify it.

    + Also, if you are upgrading from a version earlier than 14.11, see
      those release notes as well please.

    + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries
      to the table owner (Nathan Bossart)

      These views failed to hide statistics for expressions that involve
      columns the accessing user does not have permission to read. View
      columns such as most_common_vals might expose security-relevant
      data. The potential interactions here are not fully clear, so in the
      interest of erring on the side of safety, make rows in these views
      visible only to the owner of the associated table.

      The PostgreSQL Project thanks Lukas Fittl for reporting this
      problem.

      By itself, this fix will only fix the behavior in newly initdb'd
      database clusters. If you wish to apply this change in an existing
      cluster, you will need to do the following:

        - In each database of the cluster, run the
          /usr/share/postgresql/14/fix-CVE-2024-4317.sql script as superuser. In
          psql this would look like:

            \i /usr/share/postgresql/14/fix-CVE-2024-4317.sql

          It will not hurt to run the script more than once.

        - Do not forget to include the template0 and template1 databases,
          or the vulnerability will still exist in databases you create
          later. To fix template0, you'll need to temporarily make it accept
          connections. Do that with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

          and then after fixing template0, undo it with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

      (CVE-2024-4317)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/14/release-14-12.html

  * d/postgresql-14.NEWS: Update.

 -- Sergio Durigan Junior <email address hidden> Tue, 28 May 2024 09:51:10 -0400

  python-pymysql (1.0.2-1ubuntu1.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: SQL injection via untrusted JSON input
    - debian/patches/CVE-2024-36039.patch: forbid dict parameter in
      pymysql/converters.py, pymysql/tests/test_connection.py.
    - CVE-2024-36039

 -- Marc Deslauriers <email address hidden> Tue, 28 May 2024 13:34:34 -0400

  postgresql-14 (14.12-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * New upstream version (LP: #2067388).

    + A dump/restore is not required for those running 14.X.

    + However, a security vulnerability was found in the system views
      pg_stats_ext and pg_stats_ext_exprs, potentially allowing
      authenticated database users to see data they shouldn't. If this is of
      concern in your installation, follow the steps below to rectify it.

    + Also, if you are upgrading from a version earlier than 14.11, see
      those release notes as well please.

    + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries
      to the table owner (Nathan Bossart)

      These views failed to hide statistics for expressions that involve
      columns the accessing user does not have permission to read. View
      columns such as most_common_vals might expose security-relevant
      data. The potential interactions here are not fully clear, so in the
      interest of erring on the side of safety, make rows in these views
      visible only to the owner of the associated table.

      The PostgreSQL Project thanks Lukas Fittl for reporting this
      problem.

      By itself, this fix will only fix the behavior in newly initdb'd
      database clusters. If you wish to apply this change in an existing
      cluster, you will need to do the following:

        - In each database of the cluster, run the
          /usr/share/postgresql/14/fix-CVE-2024-4317.sql script as superuser. In
          psql this would look like:

            \i /usr/share/postgresql/14/fix-CVE-2024-4317.sql

          It will not hurt to run the script more than once.

        - Do not forget to include the template0 and template1 databases,
          or the vulnerability will still exist in databases you create
          later. To fix template0, you'll need to temporarily make it accept
          connections. Do that with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

          and then after fixing template0, undo it with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

      (CVE-2024-4317)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/14/release-14-12.html

  * d/postgresql-14.NEWS: Update.

 -- Sergio Durigan Junior <email address hidden> Tue, 28 May 2024 09:51:10 -0400

  python-pymysql (0.9.3-2ubuntu3.1) focal-security; urgency=medium

  * SECURITY UPDATE: SQL injection via untrusted JSON input
    - debian/patches/CVE-2024-36039.patch: forbid dict parameter in
      pymysql/converters.py, pymysql/tests/test_connection.py.
    - CVE-2024-36039
  * Fix FTBFS caused by MySQL deprecation warnings (LP: #1891484)
    - debian/patches/disable_warnings.patch: disable auto show warnings in
      some tests as newer MySQL versions have some deprecation warnings
      that break test results.

 -- Marc Deslauriers <email address hidden> Tue, 28 May 2024 13:36:35 -0400

  postgresql-16 (16.3-0ubuntu0.24.04.1) noble-security; urgency=medium

  * New upstream version (LP: #2067388).

    + A dump/restore is not required for those running 16.X.

    + However, a security vulnerability was found in the system views
      pg_stats_ext and pg_stats_ext_exprs, potentially allowing
      authenticated database users to see data they shouldn't. If this is of
      concern in your installation, follow the steps below to rectify it.

    + Also, if you are upgrading from a version earlier than 16.2, see
      those release notes as well please.

    + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries
      to the table owner (Nathan Bossart)

      These views failed to hide statistics for expressions that involve
      columns the accessing user does not have permission to read. View
      columns such as most_common_vals might expose security-relevant
      data. The potential interactions here are not fully clear, so in the
      interest of erring on the side of safety, make rows in these views
      visible only to the owner of the associated table.

      The PostgreSQL Project thanks Lukas Fittl for reporting this
      problem.

      By itself, this fix will only fix the behavior in newly initdb'd
      database clusters. If you wish to apply this change in an existing
      cluster, you will need to do the following:

        - In each database of the cluster, run the
          /usr/share/postgresql/16/fix-CVE-2024-4317.sql script as superuser. In
          psql this would look like:

            \i /usr/share/postgresql/16/fix-CVE-2024-4317.sql

          It will not hurt to run the script more than once.

        - Do not forget to include the template0 and template1 databases,
          or the vulnerability will still exist in databases you create
          later. To fix template0, you'll need to temporarily make it accept
          connections. Do that with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

          and then after fixing template0, undo it with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

      (CVE-2024-4317)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/16/release-16-3.html.

  * d/postgresql-16.NEWS: Update.

 -- Sergio Durigan Junior <email address hidden> Wed, 29 May 2024 13:16:10 -0400

  postgresql-16 (16.3-0ubuntu0.24.04.1) noble-security; urgency=medium

  * New upstream version (LP: #2067388).

    + A dump/restore is not required for those running 16.X.

    + However, a security vulnerability was found in the system views
      pg_stats_ext and pg_stats_ext_exprs, potentially allowing
      authenticated database users to see data they shouldn't. If this is of
      concern in your installation, follow the steps below to rectify it.

    + Also, if you are upgrading from a version earlier than 16.2, see
      those release notes as well please.

    + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries
      to the table owner (Nathan Bossart)

      These views failed to hide statistics for expressions that involve
      columns the accessing user does not have permission to read. View
      columns such as most_common_vals might expose security-relevant
      data. The potential interactions here are not fully clear, so in the
      interest of erring on the side of safety, make rows in these views
      visible only to the owner of the associated table.

      The PostgreSQL Project thanks Lukas Fittl for reporting this
      problem.

      By itself, this fix will only fix the behavior in newly initdb'd
      database clusters. If you wish to apply this change in an existing
      cluster, you will need to do the following:

        - In each database of the cluster, run the
          /usr/share/postgresql/16/fix-CVE-2024-4317.sql script as superuser. In
          psql this would look like:

            \i /usr/share/postgresql/16/fix-CVE-2024-4317.sql

          It will not hurt to run the script more than once.

        - Do not forget to include the template0 and template1 databases,
          or the vulnerability will still exist in databases you create
          later. To fix template0, you'll need to temporarily make it accept
          connections. Do that with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

          and then after fixing template0, undo it with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

      (CVE-2024-4317)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/16/release-16-3.html.

  * d/postgresql-16.NEWS: Update.

 -- Sergio Durigan Junior <email address hidden> Wed, 29 May 2024 13:16:10 -0400

  node-browserify-sign (4.2.1-3ubuntu0.1) mantic-security; urgency=medium

  * SECURITY UPDATE: Signature Forgery Attack
    - debian/patches/CVE-2023-46234.patch: fixed an upper bound check issue in
      `dsaVerify` function
    - CVE-2023-46234

 -- Amir Naseredini <email address hidden> Tue, 28 May 2024 12:26:03 +0100

  postgresql-15 (15.7-0ubuntu0.23.10.1) mantic-security; urgency=medium

  * New upstream version (LP: #2067388).

    + A dump/restore is not required for those running 15.X.

    + However, a security vulnerability was found in the system views
      pg_stats_ext and pg_stats_ext_exprs, potentially allowing
      authenticated database users to see data they shouldn't. If this is of
      concern in your installation, follow the steps below to rectify it.

    + Also, if you are upgrading from a version earlier than 15.6, see
      those release notes as well please.

    + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries
      to the table owner (Nathan Bossart)

      These views failed to hide statistics for expressions that involve
      columns the accessing user does not have permission to read. View
      columns such as most_common_vals might expose security-relevant
      data. The potential interactions here are not fully clear, so in the
      interest of erring on the side of safety, make rows in these views
      visible only to the owner of the associated table.

      The PostgreSQL Project thanks Lukas Fittl for reporting this
      problem.

      By itself, this fix will only fix the behavior in newly initdb'd
      database clusters. If you wish to apply this change in an existing
      cluster, you will need to do the following:

        - In each database of the cluster, run the
          /usr/share/postgresql/15/fix-CVE-2024-4317.sql script as superuser. In
          psql this would look like:

            \i /usr/share/postgresql/15/fix-CVE-2024-4317.sql

          It will not hurt to run the script more than once.

        - Do not forget to include the template0 and template1 databases,
          or the vulnerability will still exist in databases you create
          later. To fix template0, you'll need to temporarily make it accept
          connections. Do that with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

          and then after fixing template0, undo it with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

      (CVE-2024-4317)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/15/release-15-7.html.

  * d/postgresql-15.NEWS: Update.

 -- Sergio Durigan Junior <email address hidden> Tue, 28 May 2024 10:27:51 -0400

  postgresql-15 (15.7-0ubuntu0.23.10.1) mantic-security; urgency=medium

  * New upstream version (LP: #2067388).

    + A dump/restore is not required for those running 15.X.

    + However, a security vulnerability was found in the system views
      pg_stats_ext and pg_stats_ext_exprs, potentially allowing
      authenticated database users to see data they shouldn't. If this is of
      concern in your installation, follow the steps below to rectify it.

    + Also, if you are upgrading from a version earlier than 15.6, see
      those release notes as well please.

    + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries
      to the table owner (Nathan Bossart)

      These views failed to hide statistics for expressions that involve
      columns the accessing user does not have permission to read. View
      columns such as most_common_vals might expose security-relevant
      data. The potential interactions here are not fully clear, so in the
      interest of erring on the side of safety, make rows in these views
      visible only to the owner of the associated table.

      The PostgreSQL Project thanks Lukas Fittl for reporting this
      problem.

      By itself, this fix will only fix the behavior in newly initdb'd
      database clusters. If you wish to apply this change in an existing
      cluster, you will need to do the following:

        - In each database of the cluster, run the
          /usr/share/postgresql/15/fix-CVE-2024-4317.sql script as superuser. In
          psql this would look like:

            \i /usr/share/postgresql/15/fix-CVE-2024-4317.sql

          It will not hurt to run the script more than once.

        - Do not forget to include the template0 and template1 databases,
          or the vulnerability will still exist in databases you create
          later. To fix template0, you'll need to temporarily make it accept
          connections. Do that with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

          and then after fixing template0, undo it with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

      (CVE-2024-4317)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/15/release-15-7.html.

  * d/postgresql-15.NEWS: Update.

 -- Sergio Durigan Junior <email address hidden> Tue, 28 May 2024 10:27:51 -0400

  node-browserify-sign (4.2.1-2ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Signature Forgery Attack
    - debian/patches/CVE-2023-46234.patch: fixed an upper bound check issue in
      `dsaVerify` function
    - CVE-2023-46234
  * debian/rules: disabled running the tests during build because of LP bug
    #1979639

 -- Amir Naseredini <email address hidden> Wed, 29 May 2024 16:02:25 +0100

  postgresql-14 (14.12-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * New upstream version (LP: #2067388).

    + A dump/restore is not required for those running 14.X.

    + However, a security vulnerability was found in the system views
      pg_stats_ext and pg_stats_ext_exprs, potentially allowing
      authenticated database users to see data they shouldn't. If this is of
      concern in your installation, follow the steps below to rectify it.

    + Also, if you are upgrading from a version earlier than 14.11, see
      those release notes as well please.

    + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries
      to the table owner (Nathan Bossart)

      These views failed to hide statistics for expressions that involve
      columns the accessing user does not have permission to read. View
      columns such as most_common_vals might expose security-relevant
      data. The potential interactions here are not fully clear, so in the
      interest of erring on the side of safety, make rows in these views
      visible only to the owner of the associated table.

      The PostgreSQL Project thanks Lukas Fittl for reporting this
      problem.

      By itself, this fix will only fix the behavior in newly initdb'd
      database clusters. If you wish to apply this change in an existing
      cluster, you will need to do the following:

        - In each database of the cluster, run the
          /usr/share/postgresql/14/fix-CVE-2024-4317.sql script as superuser. In
          psql this would look like:

            \i /usr/share/postgresql/14/fix-CVE-2024-4317.sql

          It will not hurt to run the script more than once.

        - Do not forget to include the template0 and template1 databases,
          or the vulnerability will still exist in databases you create
          later. To fix template0, you'll need to temporarily make it accept
          connections. Do that with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

          and then after fixing template0, undo it with:

            ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

      (CVE-2024-4317)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/14/release-14-12.html

  * d/postgresql-14.NEWS: Update.

 -- Sergio Durigan Junior <email address hidden> Tue, 28 May 2024 09:51:10 -0400