-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 08 Jul 2026 18:12:26 +0200 Source: pgextwlist Binary: postgresql-17-pgextwlist postgresql-17-pgextwlist-dbgsym Architecture: amd64 Version: 1.19-1+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: all / amd64 / i386 Build Daemon (x86-conova-01) Changed-By: Christoph Berg Description: postgresql-17-pgextwlist - PostgreSQL Extension Whitelisting Changes: pgextwlist (1.19-1+deb13u1) trixie-security; urgency=medium . * Reject substituting extension schemas or owners matching ["$'\]. . The extwlist.custom_path script mechanism was vulnerable to SQL injection via crafted schema and user names. The same problem was fixed in August 2023 in PostgreSQL (cd5f2a3570), and is now fixed in pgextwlist as well. Substitutions that attempt to insert any of "$'\ are now simply rejected. (We don't try to quote the values as we don't know which quoting context we are in.) . CVE-2023-39417 Checksums-Sha1: 942349a3a6e9994b3e2bcaaf40d2f7e4fc3b20d6 9458 pgextwlist_1.19-1+deb13u1_amd64-buildd.buildinfo b4df9b24388486302482a4ffc2c03b26eb4b5af1 58936 postgresql-17-pgextwlist-dbgsym_1.19-1+deb13u1_amd64.deb dc76c75da807ca4b7dd78e21b05dd58c8068cd13 30924 postgresql-17-pgextwlist_1.19-1+deb13u1_amd64.deb Checksums-Sha256: cc5a0953fabf0c43e733ee1648658e06a3db5cb641100c0d0dcc319ce0490a29 9458 pgextwlist_1.19-1+deb13u1_amd64-buildd.buildinfo 4f56a92d8ae8fca5586f4798e7ba7039e0b2a8ca099352d9a00cb64b7e058880 58936 postgresql-17-pgextwlist-dbgsym_1.19-1+deb13u1_amd64.deb f8e4b9d8e506d00461eda90ff2e74fc0b9e14931678368a8d4793e3dd0def978 30924 postgresql-17-pgextwlist_1.19-1+deb13u1_amd64.deb Files: bfca6e87d35951128d4d453e50c7b30e 9458 database optional pgextwlist_1.19-1+deb13u1_amd64-buildd.buildinfo 9c39bb00148662521c987f3abb6f3888 58936 debug optional postgresql-17-pgextwlist-dbgsym_1.19-1+deb13u1_amd64.deb 3d3192da4deeede180aab0a8aa00aae4 30924 libs optional postgresql-17-pgextwlist_1.19-1+deb13u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7cQ9mRD4+dWjjrb6PkCWRKsh20cFAmpOkswACgkQPkCWRKsh 20c9Iw//b21QQ5ey1nALFt71Uj/jzDM0WuEFHEmy8IjlO1IUqaIRtrIvmvYwi/AG oqWOLzg0lmMLU79l10gZ44HCINiORWX5SRseETsedFpjaJKQKu8szzxjMDKcUIG+ C50TAsfxNi+Hmw8/JnEZnGCKeaKLZzl5m4Re9jRRXqbKfgnt1hLJI42P+aIejAYy 2l4GsE1krguieirIyY+HrEFt9Fm096vQ7K/EeYL3Q+LKcpQd3dU35awkFGEs9d3g P9hJoToAA/0CZINHHe0NYSJw8JWAiBmWWEQycJL69lHVvPwbsWCZEP2lqvgvtDAa GdCL0dCHCgdB/ysD7g2DUiSezHCfgE3NBE/smdpkLoD1opNbQ7JsGB6oAIX2FWcz TKGnZGEGssEIJlJdRRazvEMR9AVqlOs/WxzMJidj7qUQGhI8Jyudw4r5WbWyZ24o d2oKtZLV+Vi6RaSjO52LjhfH5NebNpHilXPgnZkRmsXcq1tSYnno3lqVOyk2zjcc WQRegdD/47HKP4ZpziUE40D2VWdQj08gdcFp/944+e5OtyJAl2BkOWKVxFxJ2RK9 rpR1qE67gLgUM+w1mavbGY1aIXSUb9dzHcHL1wxqlN+ZWn3tETxmrTq6eN+2TUaY ZgVPEHPaKp95sWZYwLrsIBU4Em4MBZFEipt1qhgqQI06OfiyMII= =k49Q -----END PGP SIGNATURE-----