Changelog
postgresql-11 (11.16-0+deb10u1) buster-security; urgency=medium
* New upstream release.
* Confine additional operations within security restricted operation
sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW,
and pg_amcheck activated the security restricted operation protection
mechanism too late, or even not at all in some code paths. A user having
permission to create non-temporary objects within a database could
define an object that would execute arbitrary SQL code with superuser
permissions the next time that autovacuum processed the object, or that
some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this
problem. (CVE-2022-1552)
-- Christoph Berg <email address hidden> Wed, 11 May 2022 15:15:30 +0200