From 4908df4a609aa1f2b3def968fe5b94a74cfde214 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Mon, 5 Aug 2019 11:49:14 -0400
Subject: [PATCH] Last-minute updates for release notes.
Security: CVE-2019-10208, CVE-2019-10209
---
doc/src/sgml/release-9.4.sgml | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
index 8fde65b27fd..36ef9009e67 100644
--- a/doc/src/sgml/release-9.4.sgml
+++ b/doc/src/sgml/release-9.4.sgml
@@ -41,6 +41,36 @@
<listitem>
<!--
+Author: Noah Misch <noah@leadboat.com>
+Branch: master [ffa2d37e5] 2019-08-05 07:48:41 -0700
+Branch: REL_12_STABLE [9993fa9dd] 2019-08-05 07:48:45 -0700
+Branch: REL_11_STABLE [21f94c51f] 2019-08-05 07:48:45 -0700
+Branch: REL_10_STABLE [2062007cb] 2019-08-05 07:48:45 -0700
+Branch: REL9_6_STABLE [7da46192d] 2019-08-05 07:48:45 -0700
+Branch: REL9_5_STABLE [752fa3dbf] 2019-08-05 07:48:45 -0700
+Branch: REL9_4_STABLE [86737438b] 2019-08-05 07:48:46 -0700
+-->
+ <para>
+ Require schema qualification to cast to a temporary type when using
+ functional cast syntax (Noah Misch)
+ </para>
+
+ <para>
+ We have long required invocations of temporary functions to
+ explicitly specify the temporary schema, that
+ is <literal>pg_temp.<replaceable>func_name</replaceable>(<replaceable>args</replaceable>)</literal>.
+ Require this as well for casting to temporary types using functional
+ notation, for
+ example <literal>pg_temp.<replaceable>type_name</replaceable>(<replaceable>arg</replaceable>)</literal>.
+ Otherwise it's possible to capture a function call using a temporary
+ object, allowing privilege escalation in much the same ways that we
+ blocked in CVE-2007-2138.
+ (CVE-2019-10208)
+ </para>
+ </listitem>
+
+ <listitem>
+<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master Release: REL_12_BR [f946a4091] 2019-06-24 16:43:21 -0400
Branch: REL_11_STABLE [afaf48afb] 2019-06-24 16:43:05 -0400
--
GitLab