Comment 16 for bug 2028426

This bug was fixed in the package postgresql-15 - 15.4-0ubuntu0.23.04.1

---------------
postgresql-15 (15.4-0ubuntu0.23.04.1) lunar-security; urgency=medium

  * New upstream version (LP: #2028426).

    + A dump/restore is not required for those running 15.X.

    + However, if you use BRIN indexes, it may be advisable to reindex them.

    + Also, if you are upgrading from a version earlier than 15.1, see
      those release notes as well please.

    + Disallow substituting a schema or owner name into an extension script
      if the name contains a quote, backslash, or dollar sign (Noah Misch)

      This restriction guards against SQL-injection hazards for trusted
      extensions.
      (CVE-2023-39417)

    + Fix MERGE to enforce row security policies properly (Dean Rasheed)
      (CVE-2023-39418)

    + Fix confusion between empty (no rows) ranges and all-NULL ranges in
      BRIN indexes, as well as incorrect merging of all-NULL summaries
      (Tomas Vondra)

      Each of these oversights could result in forgetting that a BRIN
      index range contains any NULL values, potentially allowing
      subsequent queries that should return NULL values to miss doing so.

      This fix will not in itself correct faulty BRIN entries.
      It's recommended to REINDEX any BRIN indexes that
      may be used to search for nulls.

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/15/release-15-4.html.

 -- Athos Ribeiro <email address hidden> Wed, 09 Aug 2023 09:00:47 -0300