From ce5a2d2c3e8e1353d1cb31ab143730accbb1ac75 Mon Sep 17 00:00:00 2001
From: Tom Lane
Date: Mon, 10 Feb 2020 12:51:07 -0500
Subject: Last-minute updates for release notes.
Security: CVE-2020-1720
---
doc/src/sgml/release-12.sgml | 42 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/doc/src/sgml/release-12.sgml b/doc/src/sgml/release-12.sgml
index 79548ed83c5..cadbbfd3de3 100644
--- a/doc/src/sgml/release-12.sgml
+++ b/doc/src/sgml/release-12.sgml
@@ -37,6 +37,30 @@
+
+ Add missing permissions checks for ALTER ... DEPENDS ON
+ EXTENSION (Álvaro Herrera)
+
+
+
+ Marking an object as dependent on an extension did not have any
+ privilege check whatsoever. This oversight allowed any user to mark
+ routines, triggers, materialized views, or indexes as droppable by
+ anyone able to drop an extension. Require that the calling user own
+ the specified object (and hence have privilege to drop it).
+ (CVE-2020-1720)
+
+
+
+
+
@@ -1201,6 +1225,24 @@ Branch: REL9_4_STABLE [56c06999d] 2019-11-13 11:35:37 -0500
+
+ Apply more thorough syntax checking
+ to createuser's
+ option (Álvaro Herrera)
+
+
+
+
+