Update request: postgresql [multiple versions] - broken package #371348
Comments
|
THese are patched on nixos-unstable already. I assume you're opening this because we're still on 17.1 on 24.11. This is about to change with the current staging cycle: #369690 Closing, when this hits the stable channel. |
It did! |
|
Thanks @wolfgangwalther . Is there a way that released like this could be prioritized in future? |
The big number of rebuilds caused by an upgrade is the problem. A first step to reduce the rebuilds is #359659. This will not bring us all the way, as mentioned in the PR's description. But if we do this:
Then the number of rebuilds for updating the PostgreSQL derivation could possibly be low enough to merge this directly without staging. |
Package Information
In response to CVE-2024-10978 the PostgreSQL maintainers released a security patch and back-ported it to all supported versions: 17.1, 16.5, 15.9, 14.14, 13.17. 12.21
But these new versions introduced a serious bug, as noted in this news post:
The fix for CVE-2024-10978 accidentally caused settings for role to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.This silently breaks the
ALTER {ROLE|DATABASE} SET rolestatement. This can result in database objects being created with incorrect ownership which has security implications and can result in application downtime.The versions listed above should be considered "broken".
Further details:
https://www.postgresql.org/message-id/CADOZwSb0UsEr4_UTFXC5k7=fyyK8uKXekucd+-uuGjJsGBfxgw@mail.gmail.com
Checklist
Notify maintainers
@wolfgangwalther
@ivan
@Ma27
Note for maintainers: Please tag this issue in your PR.
Add a 👍 reaction to issues you find important.
The text was updated successfully, but these errors were encountered: