-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 08 Jul 2026 18:12:26 +0200 Source: pgextwlist Binary: postgresql-17-pgextwlist postgresql-17-pgextwlist-dbgsym Architecture: ppc64el Version: 1.19-1+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: ppc64el Build Daemon (ppc64el-conova-02) Changed-By: Christoph Berg Description: postgresql-17-pgextwlist - PostgreSQL Extension Whitelisting Changes: pgextwlist (1.19-1+deb13u1) trixie-security; urgency=medium . * Reject substituting extension schemas or owners matching ["$'\]. . The extwlist.custom_path script mechanism was vulnerable to SQL injection via crafted schema and user names. The same problem was fixed in August 2023 in PostgreSQL (cd5f2a3570), and is now fixed in pgextwlist as well. Substitutions that attempt to insert any of "$'\ are now simply rejected. (We don't try to quote the values as we don't know which quoting context we are in.) . CVE-2023-39417 Checksums-Sha1: 4e885630331b0101b9e08ca81dad6cf68c7f46f7 9457 pgextwlist_1.19-1+deb13u1_ppc64el-buildd.buildinfo 8a6dfaabcca508a019af0dcb1f89aa8f669914ab 64160 postgresql-17-pgextwlist-dbgsym_1.19-1+deb13u1_ppc64el.deb 24b4227f9d038493c1f006950ff8dc3ebb190287 33536 postgresql-17-pgextwlist_1.19-1+deb13u1_ppc64el.deb Checksums-Sha256: fefa5034b8777d7579facc3c187ba77cd5afd2d7f6da763d0d0b098be79c89c1 9457 pgextwlist_1.19-1+deb13u1_ppc64el-buildd.buildinfo 2b6467a3cd4c4b817edc2c66cec8777a20c27d58bb974ee6d959bac09eb711da 64160 postgresql-17-pgextwlist-dbgsym_1.19-1+deb13u1_ppc64el.deb 89cfc6f917a832b9a14180fbfa4d83831d88b423c283021a4fc5d4436763b9e6 33536 postgresql-17-pgextwlist_1.19-1+deb13u1_ppc64el.deb Files: 77a394f89abc9b0cac1056c98d053575 9457 database optional pgextwlist_1.19-1+deb13u1_ppc64el-buildd.buildinfo b74a3711c205df32b525c74c1ec4e7dd 64160 debug optional postgresql-17-pgextwlist-dbgsym_1.19-1+deb13u1_ppc64el.deb 1350f29b3f68167934546459786151bb 33536 libs optional postgresql-17-pgextwlist_1.19-1+deb13u1_ppc64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEySUEQfg5pZeb/U372FRWNm40e2YFAmpOkjUACgkQ2FRWNm40 e2aFaw/8CP2tAKycnzQjUJ5HJlhe9/FwmzIE5ZwwuvAKOSF+X1UFv3UsD2cU2e/a cFCwZc5o1C2NA2AJXTv/Z1mTqyRMkvA3sGl8UawOmnRXZQTESpbZS+/z8Z4nRgw5 VE34Nqx4nEz4v0h+Bx7Kh2RHXXvnDqOmBsisJhu/FeRvmc2RQFWTa6gWzGxJe8VG i0JFthRtyHupvOVYEy6wWBr/8pkQx5Znh45KffaD9SNLqYyVXj+jHUpL62LJvZuz +lucAYzPVHJDrBrwpKf55Pp5L5kqCADrmHdU421wCY90Nw6ri2jZJsYGJkItIUli CsMZsz4UnxGTKBqXUMaBZY0vVAswwXFi/5DrNvxTpVcGWtneg3doIQNyh5RqEW4E vbcwWntjWpfkPpefGy5YUX5YClgksQSvhkEIpOAHrI/lDMMMrv1zVvxFWQ5mSEqa 1T9h608ylErRqwiGxrUaCfApU1aLvUuCOr/BL4t9/q/ijphHFneWMtyWnc1V91h3 WbvZiRacLI5g0gmEIHDO0/g+LtKwLygneX7u/KrrPxIBza/mgPo6+4WWBuE0BXjR UL2NrNpMTt2jmOKg0U9X/GnKsFbO9fS7Xr+c/pIrxMm3vVZekqXBz0en33JwVB89 XVFtTiSNi2yqVy3IU1j0xa7NQj5MPtZSZuowoLYu0F2MxXQWfcQ= =sAkL -----END PGP SIGNATURE-----