-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 8 Jul 2026 19:40:41 CEST Source: pgextwlist Architecture: source Version: 1.19-1+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers Changed-By: Christoph Berg Changes: pgextwlist (1.19-1+deb13u1) trixie-security; urgency=medium . * Reject substituting extension schemas or owners matching ["$'\]. . The extwlist.custom_path script mechanism was vulnerable to SQL injection via crafted schema and user names. The same problem was fixed in August 2023 in PostgreSQL (cd5f2a3570), and is now fixed in pgextwlist as well. Substitutions that attempt to insert any of "$'\ are now simply rejected. (We don't try to quote the values as we don't know which quoting context we are in.) . CVE-2023-39417 Checksums-Sha256: ebf7ea470f27ff4b083ee873d9d891c9542f45945802b6a3bfa0f22267ceedd9 2175 pgextwlist_1.19-1+deb13u1.dsc 4ef570146b1cdd89c7142322343dca297bf0079cb494bfecbe8a170574c1b115 5544 pgextwlist_1.19-1+deb13u1.debian.tar.xz 449cf6a277bcd590b59c151d24ae670e86fd9bde32f30925163e452653f59be4 19593 pgextwlist_1.19.orig.tar.gz Checksums-Sha1: fb15e6151d7812ae82a8faa8378f5a4707ad9d0f 2175 pgextwlist_1.19-1+deb13u1.dsc 1331193ac63a7df91a6ca617710948b1e0f2d5b9 5544 pgextwlist_1.19-1+deb13u1.debian.tar.xz e2c59f4f20911e67185db6d2facc123b09dd5781 19593 pgextwlist_1.19.orig.tar.gz Files: c63b3d8e413e6d454b0a627579fccccf 2175 database optional pgextwlist_1.19-1+deb13u1.dsc a8ccafdfeead2bc44508df4f746e672e 5544 database optional pgextwlist_1.19-1+deb13u1.debian.tar.xz 941ad7cd1f9bd64036912dc72b81afc4 19593 database optional pgextwlist_1.19.orig.tar.gz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmpOi6oACgkQTFprqxLS p66YohAApupTX+MYjhb0IQci1oTNmwdo++mPz7ItaLIB8XEBsrNLmKgy3XBT2LZo zrHKArBdMlrvIn7wkIRyKJd9nkMhQu/1C8XX8BPKU6rmcEZNgz4N4XQkwxl19KIW 0/QOSFcn+GrsFAen5xSaQBCXY4rlsOgR7GnEKe/GjqJSWhpQD+hNiEta7OKxDlNM CJwgNLxZ/3A7SPF3w8M5ridWBt4UeBhqEIQgrmQ7zgFuJ+Hgr025CcxTOOpTkeMn eT11asjH9q+/YRCEiWEJ4vccWKo5PKrCiZIt1qoSlFdamYILK7NV9aBfFyXRucyd DhL1ZFnr+ivlLI/ikob/ubZxdRzvHz5aUjHjlQRLZSbfddThr7WmWJqZu+ehpjC0 DfanqYVbfZxw3zeGM20h8KUeU5H4dsn90OEO/lokvjGq0WUGl7az8k4Pta6t/L3A 4s9j0OztCSEx4V5fy2CNQEFSgjAGRyFrRaUeAIKHfhuEnnegvq5RFwgGVD/wiVxi e1k+k63yWL+B9p+LPExcKbthMkcF0d7XTVGeUaRLg3NNm/2oHbRSbBwgxO6zWSSQ /2RKcdhXMyO/UtI8t/+PbpTNGa6hOg0DjNk6KFu1KTDbgsyyd4lgdcXlxjyePBVj yE0ifWFYAabp1zztlMwL5N/fS+C0fk01ww6tSFfPm71iEyUDiVc= =rmTz -----END PGP SIGNATURE-----