-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 08 Jul 2026 18:12:26 +0200 Source: pgextwlist Binary: postgresql-17-pgextwlist postgresql-17-pgextwlist-dbgsym Architecture: arm64 Version: 1.19-1+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: arm64 Build Daemon (arm-ubc-03) Changed-By: Christoph Berg Description: postgresql-17-pgextwlist - PostgreSQL Extension Whitelisting Changes: pgextwlist (1.19-1+deb13u1) trixie-security; urgency=medium . * Reject substituting extension schemas or owners matching ["$'\]. . The extwlist.custom_path script mechanism was vulnerable to SQL injection via crafted schema and user names. The same problem was fixed in August 2023 in PostgreSQL (cd5f2a3570), and is now fixed in pgextwlist as well. Substitutions that attempt to insert any of "$'\ are now simply rejected. (We don't try to quote the values as we don't know which quoting context we are in.) . CVE-2023-39417 Checksums-Sha1: 8067a414ae355f96429f14b7505b724999747199 9442 pgextwlist_1.19-1+deb13u1_arm64-buildd.buildinfo d95073cd849fe7fbbeac498210cd2c38ce8c7c5a 58544 postgresql-17-pgextwlist-dbgsym_1.19-1+deb13u1_arm64.deb 84e9fb6675e18ce6f19dd9e56ff4ef87c0404d5a 30616 postgresql-17-pgextwlist_1.19-1+deb13u1_arm64.deb Checksums-Sha256: b43020fb0734c8b2bfe2a5d78f61e45d787af61a3c7bd9e6243aaa94e458ba4e 9442 pgextwlist_1.19-1+deb13u1_arm64-buildd.buildinfo 58234551adb207493ba77774ec54c7c8ba3c03047e4f9491d9dc75e2d8cdb166 58544 postgresql-17-pgextwlist-dbgsym_1.19-1+deb13u1_arm64.deb 5dbd884b8d3cb50d144e56ba307ca5d361d227356d43132eb4119907b507050a 30616 postgresql-17-pgextwlist_1.19-1+deb13u1_arm64.deb Files: 3279c562a163fff8f19e9a34622e8051 9442 database optional pgextwlist_1.19-1+deb13u1_arm64-buildd.buildinfo 4f6fa4eeae718c5544bbedfd87b393da 58544 debug optional postgresql-17-pgextwlist-dbgsym_1.19-1+deb13u1_arm64.deb 7bec4b98cd006fdc9effd15f028621ac 30616 libs optional postgresql-17-pgextwlist_1.19-1+deb13u1_arm64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE2kd8oHy+LXk/nybqvzDqKQSGl8UFAmpOkiEACgkQvzDqKQSG l8X8ZQ//Sfi0hCDHqGie3SyCVxWPpGD2db9e3d5mB6zzyYPNWNwfs5NeeSMryeGu K7Pq6CS//fPUuCJlKPQFNbQrmXqci+TeRQ+9XAagawy39TcNdBuhegKpuiJpDOmE tbtbTfE4YXuXtxrmRfyim47HJpibuwap3UIFN9HQNtbjmWZ1nOMT/31RyA+EAtav CtECL5gVzGo/5S9JW+X4xrGVBfjcOlWyz64Z58QvtqiXMZnGHgbz5vBR3oDR8EK7 nfJDw5PkTy75f4Z/ysFpBaJVHTSZfLiydgqt15HztM6tyPAknzVEwp21KLEo4nuO 72/uD906FgkOdCEArQNLzrosWjpRk4W02oRi/Wzom5R5ULtyZ1W+hTYNJiLmnvWY aM9qSCHfze2YTejw81waHveRn1BhiRiGW0MvBPnQjc0aGW0Cp7nARWKJPXbzPrb2 k8xLyI0q9xJMG8ng4txduYvK72IgBs6omqI/iaVg4Fx2ktqAUDMNIr+OGIaKU5RQ r7/ipCLPN0VPdv32RZm0SovZb8ivdkBXAp0D4EGhk+uVubB+xHPVJL2KUNsLZgZf VTXqfx9KL3LlEwJWE0LY+yGBP9EUz7SCglqpZRCvRFt30KevMNGeYtf/neOEeafH ZgOA2ala6kNXiMRGlUbIRASuEdrg8FSXtoNpJdKor+hsxEFozR0= =zh+m -----END PGP SIGNATURE-----