Package "libecpg-compat3"

  postgresql-15 (15.4-0ubuntu0.23.04.1) lunar-security; urgency=medium

  * New upstream version (LP: #2028426).

    + A dump/restore is not required for those running 15.X.

    + However, if you use BRIN indexes, it may be advisable to reindex them.

    + Also, if you are upgrading from a version earlier than 15.1, see
      those release notes as well please.

    + Disallow substituting a schema or owner name into an extension script
      if the name contains a quote, backslash, or dollar sign (Noah Misch)

      This restriction guards against SQL-injection hazards for trusted
      extensions.
      (CVE-2023-39417)

    + Fix MERGE to enforce row security policies properly (Dean Rasheed)
      (CVE-2023-39418)

    + Fix confusion between empty (no rows) ranges and all-NULL ranges in
      BRIN indexes, as well as incorrect merging of all-NULL summaries
      (Tomas Vondra)

      Each of these oversights could result in forgetting that a BRIN
      index range contains any NULL values, potentially allowing
      subsequent queries that should return NULL values to miss doing so.

      This fix will not in itself correct faulty BRIN entries.
      It's recommended to REINDEX any BRIN indexes that
      may be used to search for nulls.

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/15/release-15-4.html.

 -- Athos Ribeiro <email address hidden> Wed, 09 Aug 2023 09:00:47 -0300

  postgresql-15 (15.3-0ubuntu0.23.04.1) lunar-security; urgency=medium

  * New upstream version (LP: #2019214).

    + A dump/restore is not required for those running 15.X.

    + Also, if you are upgrading from a version earlier than 15.1, see
      those release notes as well please.

    + Prevent CREATE SCHEMA from defeating changes in search_path
      (Alexander Lakhin)

      Within a CREATE SCHEMA command, objects in the prevailing
      search_path, as well as those in the newly-created schema, would be
      visible even within a called function or script that attempted to set
      a secure search_path. This could allow any user having permission to
      create a schema to hijack the privileges of a security definer
      function or extension script.
      (CVE-2023-2454)

    + Enforce row-level security policies correctly after inlining a
      set-returning function (Stephen Frost, Tom Lane)

      If a set-returning SQL-language function refers to a table having
      row-level security policies, and it can be inlined into a calling
      query, those RLS policies would not get enforced properly in some
      cases involving re-using a cached plan under a different role. This
      could allow a user to see or modify rows that should have been
      invisible.
      (CVE-2023-2455)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/15/release-15-3.html.

 -- Sergio Durigan Junior <email address hidden> Thu, 11 May 2023 16:24:27 -0400