From 22795f096b521e975800cd2fff222f958500ef19 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Thu, 23 Feb 2012 17:47:59 -0500
Subject: [PATCH] Last-minute release note updates.
Security: CVE-2012-0866, CVE-2012-0867, CVE-2012-0868
---
doc/src/sgml/release-8.3.sgml | 30 ++++++++++++++++++
doc/src/sgml/release-8.4.sgml | 50 ++++++++++++++++++++++++++++++
doc/src/sgml/release-9.0.sgml | 50 ++++++++++++++++++++++++++++++
doc/src/sgml/release-9.1.sgml | 57 +++++++++++++++++++++++++++++++++++
4 files changed, 187 insertions(+)
diff --git a/doc/src/sgml/release-8.3.sgml b/doc/src/sgml/release-8.3.sgml
index e80743f463b..09f867b527d 100644
--- a/doc/src/sgml/release-8.3.sgml
+++ b/doc/src/sgml/release-8.3.sgml
@@ -34,6 +34,36 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Require execute permission on the trigger function for
+ <command>CREATE TRIGGER</> (Robert Haas)
+ </para>
+
+ <para>
+ This missing check could allow another user to execute a trigger
+ function with forged input data, by installing it on a table he owns.
+ This is only of significance for trigger functions marked
+ <literal>SECURITY DEFINER</>, since otherwise trigger functions run
+ as the table owner anyway. (CVE-2012-0866)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Convert newlines to spaces in names written in <application>pg_dump</>
+ comments (Robert Haas)
+ </para>
+
+ <para>
+ <application>pg_dump</> was incautious about sanitizing object names
+ that are emitted within SQL comments in its output script. A name
+ containing a newline would at least render the script syntactically
+ incorrect. Maliciously crafted object names could present a SQL
+ injection risk when the script is reloaded. (CVE-2012-0868)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix btree index corruption from insertions concurrent with vacuuming
diff --git a/doc/src/sgml/release-8.4.sgml b/doc/src/sgml/release-8.4.sgml
index 2cddc5ec0c4..7dbc78e500c 100644
--- a/doc/src/sgml/release-8.4.sgml
+++ b/doc/src/sgml/release-8.4.sgml
@@ -34,6 +34,56 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Require execute permission on the trigger function for
+ <command>CREATE TRIGGER</> (Robert Haas)
+ </para>
+
+ <para>
+ This missing check could allow another user to execute a trigger
+ function with forged input data, by installing it on a table he owns.
+ This is only of significance for trigger functions marked
+ <literal>SECURITY DEFINER</>, since otherwise trigger functions run
+ as the table owner anyway. (CVE-2012-0866)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Remove arbitrary limitation on length of common name in SSL
+ certificates (Heikki Linnakangas)
+ </para>
+
+ <para>
+ Both <application>libpq</> and the server truncated the common name
+ extracted from an SSL certificate at 32 bytes. Normally this would
+ cause nothing worse than an unexpected verification failure, but there
+ are some rather-implausible scenarios in which it might allow one
+ certificate holder to impersonate another. The victim would have to
+ have a common name exactly 32 bytes long, and the attacker would have
+ to persuade a trusted CA to issue a certificate in which the common
+ name has that string as a prefix. Impersonating a server would also
+ require some additional exploit to redirect client connections.
+ (CVE-2012-0867)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Convert newlines to spaces in names written in <application>pg_dump</>
+ comments (Robert Haas)
+ </para>
+
+ <para>
+ <application>pg_dump</> was incautious about sanitizing object names
+ that are emitted within SQL comments in its output script. A name
+ containing a newline would at least render the script syntactically
+ incorrect. Maliciously crafted object names could present a SQL
+ injection risk when the script is reloaded. (CVE-2012-0868)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix btree index corruption from insertions concurrent with vacuuming
diff --git a/doc/src/sgml/release-9.0.sgml b/doc/src/sgml/release-9.0.sgml
index 7b29590bb11..16de221dc11 100644
--- a/doc/src/sgml/release-9.0.sgml
+++ b/doc/src/sgml/release-9.0.sgml
@@ -34,6 +34,56 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Require execute permission on the trigger function for
+ <command>CREATE TRIGGER</> (Robert Haas)
+ </para>
+
+ <para>
+ This missing check could allow another user to execute a trigger
+ function with forged input data, by installing it on a table he owns.
+ This is only of significance for trigger functions marked
+ <literal>SECURITY DEFINER</>, since otherwise trigger functions run
+ as the table owner anyway. (CVE-2012-0866)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Remove arbitrary limitation on length of common name in SSL
+ certificates (Heikki Linnakangas)
+ </para>
+
+ <para>
+ Both <application>libpq</> and the server truncated the common name
+ extracted from an SSL certificate at 32 bytes. Normally this would
+ cause nothing worse than an unexpected verification failure, but there
+ are some rather-implausible scenarios in which it might allow one
+ certificate holder to impersonate another. The victim would have to
+ have a common name exactly 32 bytes long, and the attacker would have
+ to persuade a trusted CA to issue a certificate in which the common
+ name has that string as a prefix. Impersonating a server would also
+ require some additional exploit to redirect client connections.
+ (CVE-2012-0867)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Convert newlines to spaces in names written in <application>pg_dump</>
+ comments (Robert Haas)
+ </para>
+
+ <para>
+ <application>pg_dump</> was incautious about sanitizing object names
+ that are emitted within SQL comments in its output script. A name
+ containing a newline would at least render the script syntactically
+ incorrect. Maliciously crafted object names could present a SQL
+ injection risk when the script is reloaded. (CVE-2012-0868)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix btree index corruption from insertions concurrent with vacuuming
diff --git a/doc/src/sgml/release-9.1.sgml b/doc/src/sgml/release-9.1.sgml
index 46abbec10a6..ca53f5fc7d2 100644
--- a/doc/src/sgml/release-9.1.sgml
+++ b/doc/src/sgml/release-9.1.sgml
@@ -34,6 +34,56 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Require execute permission on the trigger function for
+ <command>CREATE TRIGGER</> (Robert Haas)
+ </para>
+
+ <para>
+ This missing check could allow another user to execute a trigger
+ function with forged input data, by installing it on a table he owns.
+ This is only of significance for trigger functions marked
+ <literal>SECURITY DEFINER</>, since otherwise trigger functions run
+ as the table owner anyway. (CVE-2012-0866)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Remove arbitrary limitation on length of common name in SSL
+ certificates (Heikki Linnakangas)
+ </para>
+
+ <para>
+ Both <application>libpq</> and the server truncated the common name
+ extracted from an SSL certificate at 32 bytes. Normally this would
+ cause nothing worse than an unexpected verification failure, but there
+ are some rather-implausible scenarios in which it might allow one
+ certificate holder to impersonate another. The victim would have to
+ have a common name exactly 32 bytes long, and the attacker would have
+ to persuade a trusted CA to issue a certificate in which the common
+ name has that string as a prefix. Impersonating a server would also
+ require some additional exploit to redirect client connections.
+ (CVE-2012-0867)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Convert newlines to spaces in names written in <application>pg_dump</>
+ comments (Robert Haas)
+ </para>
+
+ <para>
+ <application>pg_dump</> was incautious about sanitizing object names
+ that are emitted within SQL comments in its output script. A name
+ containing a newline would at least render the script syntactically
+ incorrect. Maliciously crafted object names could present a SQL
+ injection risk when the script is reloaded. (CVE-2012-0868)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix btree index corruption from insertions concurrent with vacuuming
@@ -576,6 +626,13 @@
</para>
</listitem>
+ <listitem>
+ <para>
+ Allow MinGW builds to use standardly-named OpenSSL libraries
+ (Tomasz Ostrowski)
+ </para>
+ </listitem>
+
</itemizedlist>
</sect2>
--
GitLab