Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
P
postgres-lambda-diff
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container registry
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Jakob Huber
postgres-lambda-diff
Commits
a70f2e4c
Commit
a70f2e4c
authored
6 years ago
by
Tom Lane
Browse files
Options
Downloads
Patches
Plain Diff
Last-minute updates for release notes.
Security: CVE-2019-10129, CVE-2019-10130
parent
f578efc9
No related branches found
No related tags found
No related merge requests found
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
doc/src/sgml/release-9.6.sgml
+39
-0
39 additions, 0 deletions
doc/src/sgml/release-9.6.sgml
with
39 additions
and
0 deletions
doc/src/sgml/release-9.6.sgml
+
39
−
0
View file @
a70f2e4c
...
@@ -33,6 +33,28 @@
...
@@ -33,6 +33,28 @@
<itemizedlist>
<itemizedlist>
<listitem>
<para>
Prevent row-level security policies from being bypassed via
selectivity estimators (Dean Rasheed)
</para>
<para>
Some of the planner's selectivity estimators apply user-defined
operators to values found in <structname>pg_statistic</structname>
(e.g., most-common values). A leaky operator therefore can disclose
some of the entries in a data column, even if the calling user lacks
permission to read that column. In CVE-2017-7484 we added
restrictions to forestall that, but we failed to consider the
effects of row-level security. A user who has SQL permission to
read a column, but who is forbidden to see certain rows due to RLS
policy, might still learn something about those rows' contents via a
leaky operator. This patch further tightens the rules, allowing
leaky operators to be applied to statistics data only when there is
no relevant RLS policy. (CVE-2019-10130)
</para>
</listitem>
<listitem>
<listitem>
<para>
<para>
Fix behavior for an <command>UPDATE</command>
Fix behavior for an <command>UPDATE</command>
...
@@ -187,6 +209,23 @@
...
@@ -187,6 +209,23 @@
</para>
</para>
</listitem>
</listitem>
<listitem>
<para>
Check the appropriate user's permissions when enforcing rules about
letting a leaky operator see <structname>pg_statistic</structname>
data (Dean Rasheed)
</para>
<para>
When an underlying table is being accessed via a view, consider the
privileges of the view owner while deciding whether leaky operators
may be applied to the table's statistics data, rather than the
privileges of the user making the query. This makes the planner's
rules about what data is visible match up with the executor's,
avoiding unnecessarily-poor plans.
</para>
</listitem>
<listitem>
<listitem>
<para>
<para>
Speed up planning when there are many equality conditions and many
Speed up planning when there are many equality conditions and many
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment