From c54f04820a48c33ca15b24552eab29f5137ce462 Mon Sep 17 00:00:00 2001 From: Tom Lane <tgl@sss.pgh.pa.us> Date: Mon, 6 Aug 2018 13:13:41 -0400 Subject: [PATCH] Last-minute updates for release notes. Security: CVE-2018-10915, CVE-2018-10925 --- doc/src/sgml/release-9.3.sgml | 28 ++++++++++++++++++++++++++++ doc/src/sgml/release-9.4.sgml | 28 ++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml index a2078eac9ec..b0b46b4b394 100644 --- a/doc/src/sgml/release-9.3.sgml +++ b/doc/src/sgml/release-9.3.sgml @@ -39,6 +39,34 @@ <itemizedlist> + <listitem> + <para> + Fix failure to reset <application>libpq</application>'s state fully + between connection attempts (Tom Lane) + </para> + + <para> + An unprivileged user of <filename>dblink</filename> + or <filename>postgres_fdw</filename> could bypass the checks intended + to prevent use of server-side credentials, such as + a <filename>~/.pgpass</filename> file owned by the operating-system + user running the server. Servers allowing peer authentication on + local connections are particularly vulnerable. Other attacks such + as SQL injection into a <filename>postgres_fdw</filename> session + are also possible. + Attacking <filename>postgres_fdw</filename> in this way requires the + ability to create a foreign server object with selected connection + parameters, but any user with access to <filename>dblink</filename> + could exploit the problem. + In general, an attacker with the ability to select the connection + parameters for a <application>libpq</application>-using application + could cause mischief, though other plausible attack scenarios are + harder to think of. + Our thanks to Andrew Krasichkov for reporting this issue. + (CVE-2018-10915) + </para> + </listitem> + <listitem> <para> Ensure that updates to the <structfield>relfrozenxid</structfield> diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml index 6568a934d4a..71b760a91a5 100644 --- a/doc/src/sgml/release-9.4.sgml +++ b/doc/src/sgml/release-9.4.sgml @@ -33,6 +33,34 @@ <itemizedlist> + <listitem> + <para> + Fix failure to reset <application>libpq</application>'s state fully + between connection attempts (Tom Lane) + </para> + + <para> + An unprivileged user of <filename>dblink</filename> + or <filename>postgres_fdw</filename> could bypass the checks intended + to prevent use of server-side credentials, such as + a <filename>~/.pgpass</filename> file owned by the operating-system + user running the server. Servers allowing peer authentication on + local connections are particularly vulnerable. Other attacks such + as SQL injection into a <filename>postgres_fdw</filename> session + are also possible. + Attacking <filename>postgres_fdw</filename> in this way requires the + ability to create a foreign server object with selected connection + parameters, but any user with access to <filename>dblink</filename> + could exploit the problem. + In general, an attacker with the ability to select the connection + parameters for a <application>libpq</application>-using application + could cause mischief, though other plausible attack scenarios are + harder to think of. + Our thanks to Andrew Krasichkov for reporting this issue. + (CVE-2018-10915) + </para> + </listitem> + <listitem> <para> Ensure that updates to the <structfield>relfrozenxid</structfield> -- GitLab