-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 08 Jul 2026 18:12:26 +0200 Source: pgextwlist Binary: postgresql-17-pgextwlist postgresql-17-pgextwlist-dbgsym Architecture: riscv64 Version: 1.19-1+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: riscv64 Build Daemon (rv-manda-03) Changed-By: Christoph Berg Description: postgresql-17-pgextwlist - PostgreSQL Extension Whitelisting Changes: pgextwlist (1.19-1+deb13u1) trixie-security; urgency=medium . * Reject substituting extension schemas or owners matching ["$'\]. . The extwlist.custom_path script mechanism was vulnerable to SQL injection via crafted schema and user names. The same problem was fixed in August 2023 in PostgreSQL (cd5f2a3570), and is now fixed in pgextwlist as well. Substitutions that attempt to insert any of "$'\ are now simply rejected. (We don't try to quote the values as we don't know which quoting context we are in.) . CVE-2023-39417 Checksums-Sha1: 214828a03d2d73ade99ff229d7bc826eb7388c76 8046 pgextwlist_1.19-1+deb13u1_riscv64-buildd.buildinfo 14f43d62026fce82b46e170ad67585f2b3fce927 58036 postgresql-17-pgextwlist-dbgsym_1.19-1+deb13u1_riscv64.deb 654ce85ca061399014db574d1c53d513f99b4043 13308 postgresql-17-pgextwlist_1.19-1+deb13u1_riscv64.deb Checksums-Sha256: d2c26cdd9089200a6b575015901de0e1520eba3dcfdeb969ce87d7eeb27f0393 8046 pgextwlist_1.19-1+deb13u1_riscv64-buildd.buildinfo e9297f9b6cfa510df38243e43d9ccdaa54d4d550c1de9ad1c14e72950ec4f0e1 58036 postgresql-17-pgextwlist-dbgsym_1.19-1+deb13u1_riscv64.deb cb6b8023342d1dc88d06ebc911d3e7da00a54a775ccb275e17fb026e08370acb 13308 postgresql-17-pgextwlist_1.19-1+deb13u1_riscv64.deb Files: 37c9381fc73f6a40e967b245446ee2ce 8046 database optional pgextwlist_1.19-1+deb13u1_riscv64-buildd.buildinfo 09191490e1770ae74e4d582628531fa8 58036 debug optional postgresql-17-pgextwlist-dbgsym_1.19-1+deb13u1_riscv64.deb b39c2e485370690784186053d420e710 13308 libs optional postgresql-17-pgextwlist_1.19-1+deb13u1_riscv64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXZ9jHPkg/vETgMJZlJNduPxUf2oFAmpOk7YACgkQlJNduPxU f2rgwA/+JX+tQ2v/fpddJH8l+NiiKvfiEY+V0QO/qZOs0fMPVYwmXj6nNs5uhtFL U+lfHOH0c0L9v+yD2yOWcRg9rC/iOOvzn1EvXNt/ljnU6InBJEbUWtw/Mpbj1dsA NPX38bAHISOjNdolMFcpV5EkNLXPbjOtJ/iU4vILcy7YBw7XudOc8WTc5qbNjeee IAVB2430VQ3ilQe/S89mIkFgLBRtJFV3FO+MiA1REg3EPJkr247ULAyCO/b/ESvj OmSsAQH82kYz5Y//KYMnCbw3Aaqvwr/Ey4C1n5C/N+zM0RFLsSu3tiM3PPi2dcBE JM8npBWAQ1qVyXTNhmEpDX5BGZTKM1LmAwm7yCz/fpyNKhaoNR9V9GPyTQjpgC1c yEsOjsowcooJPJykhlCgvNtE31jgtVHupdb2osSt7Jq3VSe2ZHM2lza8xHCxIOxg 81Pq6dZ/utF8RowCyHjmJhcu8rAkRtDZ6geZOFjyZQE34kkOEYmR/XCWoqVNyPFp FzIcPU3Jvo4XAoyK48bg0e8ECeSZWlmj9a/fWl7Ae87FihuI4BIpZOcQrmXeNZSZ Jd2Q20pGqOBKBsDBWJ4A4tAxlqXKyfPWv/k11tNoUshF7aiwmrMAYl0xYut9gWYY mJW/HhDF6w1mWs7pvQoDHVQSNB6JjkniK0TQFEU8T6/I84iTmz0= =z7lv -----END PGP SIGNATURE-----