summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Lane2017-11-06 17:02:30 +0000
committerTom Lane2017-11-06 17:02:30 +0000
commitd69c0710a68068c7a415aaefd2c7d51f3197fe38 (patch)
treeab462bd7dc9969e55fa0596b7c8ff3c12dee590e
parent38e825632be777a6ea4a39796e121c39728403b3 (diff)
Last-minute updates for release notes.
Security: CVE-2017-12172, CVE-2017-15098, CVE-2017-15099
Diffstat
-rw-r--r--doc/src/sgml/release-9.2.sgml25
-rw-r--r--doc/src/sgml/release-9.3.sgml42
-rw-r--r--doc/src/sgml/release-9.4.sgml42
-rw-r--r--doc/src/sgml/release-9.5.sgml75
-rw-r--r--doc/src/sgml/release-9.6.sgml75
5 files changed, 257 insertions, 2 deletions
diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml
index f0283ad500f..e1bfb2e2b22 100644
--- a/doc/src/sgml/release-9.2.sgml
+++ b/doc/src/sgml/release-9.2.sgml
@@ -42,6 +42,31 @@
<listitem>
<para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
Properly reject attempts to convert infinite float values to
type <type>numeric</type> (Tom Lane, KaiGai Kohei)
</para>
diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml
index 160da1ca8b9..b198f85d802 100644
--- a/doc/src/sgml/release-9.3.sgml
+++ b/doc/src/sgml/release-9.3.sgml
@@ -36,6 +36,48 @@
<listitem>
<para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
Properly reject attempts to convert infinite float values to
type <type>numeric</type> (Tom Lane, KaiGai Kohei)
</para>
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
index d5621fd1ce7..722a105c89c 100644
--- a/doc/src/sgml/release-9.4.sgml
+++ b/doc/src/sgml/release-9.4.sgml
@@ -35,6 +35,48 @@
<listitem>
<para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
Fix crash when logical decoding is invoked from a SPI-using function,
in particular any function written in a PL language
(Tom Lane)
diff --git a/doc/src/sgml/release-9.5.sgml b/doc/src/sgml/release-9.5.sgml
index 24565a650eb..86a3c309c05 100644
--- a/doc/src/sgml/release-9.5.sgml
+++ b/doc/src/sgml/release-9.5.sgml
@@ -23,7 +23,7 @@
</para>
<para>
- However, if you use BRIN indexes, see the first changelog entry below.
+ However, if you use BRIN indexes, see the fourth changelog entry below.
</para>
<para>
@@ -39,6 +39,66 @@
<listitem>
<para>
+ Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+ table permissions and RLS policies in all cases (Dean Rasheed)
+ </para>
+
+ <para>
+ The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+ requires <literal>SELECT</literal> permission on the columns of the
+ arbiter index, but it failed to check for that in the case of an
+ arbiter specified by constraint name.
+ In addition, for a table with row level security enabled, it failed to
+ check updated rows against the table's <literal>SELECT</literal>
+ policies (regardless of how the arbiter index was specified).
+ (CVE-2017-15099)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
Fix BRIN index summarization to handle concurrent table extension
correctly (&Aacute;lvaro Herrera)
</para>
@@ -261,6 +321,19 @@
<listitem>
<para>
+ Fix missing temp-install prerequisites
+ for <literal>check</literal>-like Make targets (Noah Misch)
+ </para>
+
+ <para>
+ Some non-default test procedures that are meant to work
+ like <literal>make check</literal> failed to ensure that the temporary
+ installation was up to date.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
Sync our copy of the timezone library with IANA release tzcode2017c
(Tom Lane)
</para>
diff --git a/doc/src/sgml/release-9.6.sgml b/doc/src/sgml/release-9.6.sgml
index b502be81bf2..9c4974b9e06 100644
--- a/doc/src/sgml/release-9.6.sgml
+++ b/doc/src/sgml/release-9.6.sgml
@@ -23,7 +23,7 @@
</para>
<para>
- However, if you use BRIN indexes, see the first changelog entry below.
+ However, if you use BRIN indexes, see the fourth changelog entry below.
</para>
<para>
@@ -39,6 +39,66 @@
<listitem>
<para>
+ Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+ table permissions and RLS policies in all cases (Dean Rasheed)
+ </para>
+
+ <para>
+ The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+ requires <literal>SELECT</literal> permission on the columns of the
+ arbiter index, but it failed to check for that in the case of an
+ arbiter specified by constraint name.
+ In addition, for a table with row level security enabled, it failed to
+ check updated rows against the table's <literal>SELECT</literal>
+ policies (regardless of how the arbiter index was specified).
+ (CVE-2017-15099)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
Fix BRIN index summarization to handle concurrent table extension
correctly (&Aacute;lvaro Herrera)
</para>
@@ -460,6 +520,19 @@ Branch: REL9_6_STABLE [407e66078] 2017-09-14 01:17:15 +0200
</listitem>
<listitem>
+ <para>
+ Fix missing temp-install prerequisites
+ for <literal>check</literal>-like Make targets (Noah Misch)
+ </para>
+
+ <para>
+ Some non-default test procedures that are meant to work
+ like <literal>make check</literal> failed to ensure that the temporary
+ installation was up to date.
+ </para>
+ </listitem>
+
+ <listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [47f849a3c] 2017-09-22 00:04:29 -0400
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-14 00:22:18 +0000