diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml
index 6c07157d2948ec30fb6ee2968252d83eabdde482..30d602a053d05e17c5705589bf0bd032f1ceac82 100644
--- a/doc/src/sgml/release-10.sgml
+++ b/doc/src/sgml/release-10.sgml
@@ -23,7 +23,7 @@
</para>
<para>
- However, if you use BRIN indexes, see the first changelog entry below.
+ However, if you use BRIN indexes, see the fourth changelog entry below.
</para>
</sect2>
@@ -34,6 +34,92 @@
<listitem>
<!--
+Author: Dean Rasheed <dean.a.rasheed@gmail.com>
+Branch: master [87b2ebd35] 2017-11-06 09:19:22 +0000
+Branch: REL_10_STABLE [3f8089572] 2017-11-06 09:17:44 +0000
+Branch: REL9_6_STABLE [1f23d1cd2] 2017-11-06 09:16:24 +0000
+Branch: REL9_5_STABLE [045a18888] 2017-11-06 09:15:11 +0000
+-->
+ <para>
+ Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+ table permissions and RLS policies in all cases (Dean Rasheed)
+ </para>
+
+ <para>
+ The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+ requires <literal>SELECT</literal> permission on the columns of the
+ arbiter index, but it failed to check for that in the case of an
+ arbiter specified by constraint name.
+ In addition, for a table with row level security enabled, it failed to
+ check updated rows against the table's <literal>SELECT</literal>
+ policies (regardless of how the arbiter index was specified).
+ (CVE-2017-15099)
+ </para>
+ </listitem>
+
+ <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [b57422871] 2017-11-06 10:29:37 -0500
+Branch: REL_10_STABLE [c30f082d2] 2017-11-06 10:29:38 -0500
+Branch: REL9_6_STABLE [38e825632] 2017-11-06 10:29:39 -0500
+Branch: REL9_5_STABLE [d5fe5fb23] 2017-11-06 10:29:40 -0500
+Branch: REL9_4_STABLE [70846ee05] 2017-11-06 10:29:41 -0500
+Branch: REL9_3_STABLE [c0c8807de] 2017-11-06 10:29:42 -0500
+-->
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+<!--
+Author: Noah Misch <noah@leadboat.com>
+Branch: master [dfc015dcf] 2017-11-06 07:11:10 -0800
+Branch: REL_10_STABLE [6b0b983f7] 2017-11-06 07:11:13 -0800
+Branch: REL9_6_STABLE [b7d6f7507] 2017-11-06 07:11:13 -0800
+Branch: REL9_5_STABLE [ed546dd06] 2017-11-06 07:11:13 -0800
+Branch: REL9_4_STABLE [29d067051] 2017-11-06 07:11:13 -0800
+Branch: REL9_3_STABLE [b50029768] 2017-11-06 07:11:13 -0800
+Branch: REL9_2_STABLE [eda780281] 2017-11-06 07:11:13 -0800
+-->
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
+ <listitem>
+<!--
Author: Alvaro Herrera <alvherre@alvh.no-ip.org>
Branch: master [ec42a1dcb] 2017-11-03 17:23:13 +0100
Branch: REL_10_STABLE [37a856567] 2017-11-03 17:23:13 +0100
@@ -595,6 +681,26 @@ Branch: REL9_3_STABLE [deb429b51] 2017-11-03 12:40:42 +0100
<listitem>
<!--
+Author: Noah Misch <noah@leadboat.com>
+Branch: master [c66b438db] 2017-11-05 18:51:08 -0800
+Branch: REL_10_STABLE [937f67800] 2017-11-05 18:51:15 -0800
+Branch: REL9_6_STABLE [971983f42] 2017-11-05 18:52:38 -0800
+Branch: REL9_5_STABLE [014c5cd87] 2017-11-05 18:54:52 -0800
+-->
+ <para>
+ Fix missing temp-install prerequisites
+ for <literal>check</literal>-like Make targets (Noah Misch)
+ </para>
+
+ <para>
+ Some non-default test procedures that are meant to work
+ like <literal>make check</literal> failed to ensure that the temporary
+ installation was up to date.
+ </para>
+ </listitem>
+
+ <listitem>
+<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [8df4ce1ea] 2017-10-23 18:15:36 -0400
Branch: REL_10_STABLE [0cde56247] 2017-10-23 18:15:42 -0400
diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml
index 2f5f054c4e94f4a838e4034d9bf6ad8e88103f94..e2da35bcd4472c5285ce1d3dfb6756d4913f9c1b 100644
--- a/doc/src/sgml/release-9.2.sgml
+++ b/doc/src/sgml/release-9.2.sgml
@@ -40,6 +40,31 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Properly reject attempts to convert infinite float values to
diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml
index 82f705522e6bdf074f89e48d2a609e191becdb65..ed0e292d9a85c5414197c2445963a7565e639a38 100644
--- a/doc/src/sgml/release-9.3.sgml
+++ b/doc/src/sgml/release-9.3.sgml
@@ -34,6 +34,48 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Properly reject attempts to convert infinite float values to
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
index ab47dc50dddcdb6c0804a28961d6c6fa56b0d8a2..d8b6b1777c791584336f35ba34e6df91f7e2fd34 100644
--- a/doc/src/sgml/release-9.4.sgml
+++ b/doc/src/sgml/release-9.4.sgml
@@ -33,6 +33,48 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix crash when logical decoding is invoked from a SPI-using function,
diff --git a/doc/src/sgml/release-9.5.sgml b/doc/src/sgml/release-9.5.sgml
index 3ab5df7a5f492ee441dc23529f5b261b0be0220a..a1e68ba283af5e207f6d7e0e48a1391ae029c2c9 100644
--- a/doc/src/sgml/release-9.5.sgml
+++ b/doc/src/sgml/release-9.5.sgml
@@ -23,7 +23,7 @@
</para>
<para>
- However, if you use BRIN indexes, see the first changelog entry below.
+ However, if you use BRIN indexes, see the fourth changelog entry below.
</para>
<para>
@@ -37,6 +37,66 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+ table permissions and RLS policies in all cases (Dean Rasheed)
+ </para>
+
+ <para>
+ The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+ requires <literal>SELECT</literal> permission on the columns of the
+ arbiter index, but it failed to check for that in the case of an
+ arbiter specified by constraint name.
+ In addition, for a table with row level security enabled, it failed to
+ check updated rows against the table's <literal>SELECT</literal>
+ policies (regardless of how the arbiter index was specified).
+ (CVE-2017-15099)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix BRIN index summarization to handle concurrent table extension
@@ -259,6 +319,19 @@
</para>
</listitem>
+ <listitem>
+ <para>
+ Fix missing temp-install prerequisites
+ for <literal>check</literal>-like Make targets (Noah Misch)
+ </para>
+
+ <para>
+ Some non-default test procedures that are meant to work
+ like <literal>make check</literal> failed to ensure that the temporary
+ installation was up to date.
+ </para>
+ </listitem>
+
<listitem>
<para>
Sync our copy of the timezone library with IANA release tzcode2017c
diff --git a/doc/src/sgml/release-9.6.sgml b/doc/src/sgml/release-9.6.sgml
index 5e358ef4b4d33499b786e516471519fbf4fa0fb6..65df3113c2cc74a411d6e8c822bb560066c259ea 100644
--- a/doc/src/sgml/release-9.6.sgml
+++ b/doc/src/sgml/release-9.6.sgml
@@ -23,7 +23,7 @@
</para>
<para>
- However, if you use BRIN indexes, see the first changelog entry below.
+ However, if you use BRIN indexes, see the fourth changelog entry below.
</para>
<para>
@@ -37,6 +37,66 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+ table permissions and RLS policies in all cases (Dean Rasheed)
+ </para>
+
+ <para>
+ The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+ requires <literal>SELECT</literal> permission on the columns of the
+ arbiter index, but it failed to check for that in the case of an
+ arbiter specified by constraint name.
+ In addition, for a table with row level security enabled, it failed to
+ check updated rows against the table's <literal>SELECT</literal>
+ policies (regardless of how the arbiter index was specified).
+ (CVE-2017-15099)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix BRIN index summarization to handle concurrent table extension
@@ -459,6 +519,19 @@ Branch: REL9_6_STABLE [407e66078] 2017-09-14 01:17:15 +0200
</para>
</listitem>
+ <listitem>
+ <para>
+ Fix missing temp-install prerequisites
+ for <literal>check</literal>-like Make targets (Noah Misch)
+ </para>
+
+ <para>
+ Some non-default test procedures that are meant to work
+ like <literal>make check</literal> failed to ensure that the temporary
+ installation was up to date.
+ </para>
+ </listitem>
+
<listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>