From da2eba045ab51c124062930f3b6c3ece9cc14aa6 Mon Sep 17 00:00:00 2001
From: Sven Klemm <sven@timescale.com>
Date: Thu, 8 Aug 2024 07:23:21 +0200
Subject: [PATCH 1/2] Use explicit schema in format calls in DO blocks

The DO blocks in the version update scripts did not sufficiently
lock down search_path for the format calls allowing injection of
a malicious format function to be executed during upgrades.
---
 sql/pgsodium--1.1.1--1.2.0.sql | 8 ++++----
 sql/pgsodium--1.2.0--2.0.0.sql | 6 +++---
 sql/pgsodium--3.0.4--3.0.5.sql | 2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/sql/pgsodium--1.1.1--1.2.0.sql b/sql/pgsodium--1.1.1--1.2.0.sql
index 36e7b44..2af3fa6 100644
--- a/sql/pgsodium--1.1.1--1.2.0.sql
+++ b/sql/pgsodium--1.1.1--1.2.0.sql
@@ -107,7 +107,7 @@ BEGIN
               'pgsodium_keymaker']
 	LOOP
 		IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = new_role) THEN
-		    EXECUTE format($i$
+		    EXECUTE pg_catalog.format($i$
 			CREATE ROLE %I WITH
 				NOLOGIN
 				NOSUPERUSER
@@ -152,7 +152,7 @@ BEGIN
 		'crypto_sign_new_keypair'
 	]
 	LOOP
-		EXECUTE format($i$
+		EXECUTE pg_catalog.format($i$
 			REVOKE ALL ON FUNCTION %s FROM PUBLIC;
 			GRANT EXECUTE ON FUNCTION %s TO pgsodium_keymaker;
 		$i$, func, func);
@@ -188,7 +188,7 @@ BEGIN
 		'crypto_sign_update_agg2'
 	]
 	LOOP
-		EXECUTE format($i$
+		EXECUTE pg_catalog.format($i$
 			REVOKE ALL ON FUNCTION %s FROM PUBLIC;
 			GRANT EXECUTE ON FUNCTION %s TO pgsodium_keyholder;
 		$i$, func, func);
@@ -220,7 +220,7 @@ BEGIN
 		'crypto_shorthash'
 	]
 	LOOP
-		EXECUTE format($i$
+		EXECUTE pg_catalog.format($i$
 			REVOKE ALL ON FUNCTION %s FROM PUBLIC;
 			GRANT EXECUTE ON FUNCTION %s TO pgsodium_keyiduser;
 		$i$, func, func);
diff --git a/sql/pgsodium--1.2.0--2.0.0.sql b/sql/pgsodium--1.2.0--2.0.0.sql
index 6cd623f..057b45c 100644
--- a/sql/pgsodium--1.2.0--2.0.0.sql
+++ b/sql/pgsodium--1.2.0--2.0.0.sql
@@ -169,7 +169,7 @@ BEGIN
         'crypto_aead_det_keygen'
 	]
 	LOOP
-		EXECUTE format($i$
+		EXECUTE pg_catalog.format($i$
 			REVOKE ALL ON FUNCTION %s FROM PUBLIC;
 			GRANT EXECUTE ON FUNCTION %s TO pgsodium_keymaker;
 		$i$, func, func);
@@ -194,7 +194,7 @@ BEGIN
     'crypto_aead_det_decrypt(bytea, bytea, bytea, bytea)'
 	]
 	LOOP
-		EXECUTE format($i$
+		EXECUTE pg_catalog.format($i$
 			REVOKE ALL ON FUNCTION %s FROM PUBLIC;
 			GRANT EXECUTE ON FUNCTION %s TO pgsodium_keyholder;
 		$i$, func, func);
@@ -214,7 +214,7 @@ BEGIN
     'crypto_aead_det_decrypt(bytea, bytea, bigint, bytea, bytea)'
 	]
 	LOOP
-		EXECUTE format($i$
+		EXECUTE pg_catalog.format($i$
 			REVOKE ALL ON FUNCTION %s FROM PUBLIC;
 			GRANT EXECUTE ON FUNCTION %s TO pgsodium_keyiduser;
 		$i$, func, func);
diff --git a/sql/pgsodium--3.0.4--3.0.5.sql b/sql/pgsodium--3.0.4--3.0.5.sql
index fd34c8c..2fb2824 100644
--- a/sql/pgsodium--3.0.4--3.0.5.sql
+++ b/sql/pgsodium--3.0.4--3.0.5.sql
@@ -870,7 +870,7 @@ BEGIN
         'pgsodium.crypto_aead_ietf_decrypt(bytea, bytea, bytea, uuid)'
     ]
     LOOP
-        EXECUTE format($i$
+        EXECUTE pg_catalog.format($i$
             REVOKE ALL ON FUNCTION %s FROM PUBLIC;
             GRANT EXECUTE ON FUNCTION %s TO pgsodium_keyiduser;
         $i$, func, func);

From 2512c2611a5ea241ea32668489b2bf6a2f08ba7c Mon Sep 17 00:00:00 2001
From: Michel Pelletier <pelletier.michel@gmail.com>
Date: Tue, 7 Oct 2025 09:25:05 -0700
Subject: [PATCH 2/2] update github action versions.

---
 .github/workflows/jekyll-gh-pages.yml | 8 ++++----
 .github/workflows/pages.yml           | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml
index b90caab..9adc542 100644
--- a/.github/workflows/jekyll-gh-pages.yml
+++ b/.github/workflows/jekyll-gh-pages.yml
@@ -26,16 +26,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup Pages
-        uses: actions/configure-pages@v2
+        uses: actions/configure-pages@v5
       - name: Build with Jekyll
         uses: actions/jekyll-build-pages@v1
         with:
           source: ./docs
           destination: ./_site
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v1
+        uses: actions/upload-pages-artifact@v3
 
   # Deployment job
   deploy:
@@ -47,4 +47,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v1
+        uses: actions/deploy-pages@v4
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
index 5b77df6..4c416f1 100644
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@@ -26,16 +26,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup Pages
-        uses: actions/configure-pages@v2
+        uses: actions/configure-pages@v5
       - name: Build with Jekyll
         uses: actions/jekyll-build-pages@v1
         with:
           source: ./docs
           destination: ./_site
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v1
+        uses: actions/upload-pages-artifact@v3
 
   # Deployment job
   deploy:
@@ -47,4 +47,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v1
+        uses: actions/deploy-pages@v4