diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml
index f0283ad500f02a356e392b89cd4970428c495101..e1bfb2e2b223a356e6a39b555cdbb5f7a9381bde 100644
--- a/doc/src/sgml/release-9.2.sgml
+++ b/doc/src/sgml/release-9.2.sgml
@@ -40,6 +40,31 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Properly reject attempts to convert infinite float values to
diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml
index 160da1ca8b9427f4734f83162e56c5e14f1d4c22..b198f85d802c29ee28e888781df79b6b3992ed0b 100644
--- a/doc/src/sgml/release-9.3.sgml
+++ b/doc/src/sgml/release-9.3.sgml
@@ -34,6 +34,48 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Properly reject attempts to convert infinite float values to
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
index d5621fd1ce7a46a796b5a2af8a69886e32d678a6..722a105c89c5e815894bd994e4e23804db092b3c 100644
--- a/doc/src/sgml/release-9.4.sgml
+++ b/doc/src/sgml/release-9.4.sgml
@@ -33,6 +33,48 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix crash when logical decoding is invoked from a SPI-using function,
diff --git a/doc/src/sgml/release-9.5.sgml b/doc/src/sgml/release-9.5.sgml
index 24565a650eb0c1f3e5cab92789d5d306e2270cb5..86a3c309c05e8b413eee13e0e0b475e828f654c8 100644
--- a/doc/src/sgml/release-9.5.sgml
+++ b/doc/src/sgml/release-9.5.sgml
@@ -23,7 +23,7 @@
</para>
<para>
- However, if you use BRIN indexes, see the first changelog entry below.
+ However, if you use BRIN indexes, see the fourth changelog entry below.
</para>
<para>
@@ -37,6 +37,66 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+ table permissions and RLS policies in all cases (Dean Rasheed)
+ </para>
+
+ <para>
+ The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+ requires <literal>SELECT</literal> permission on the columns of the
+ arbiter index, but it failed to check for that in the case of an
+ arbiter specified by constraint name.
+ In addition, for a table with row level security enabled, it failed to
+ check updated rows against the table's <literal>SELECT</literal>
+ policies (regardless of how the arbiter index was specified).
+ (CVE-2017-15099)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix BRIN index summarization to handle concurrent table extension
@@ -259,6 +319,19 @@
</para>
</listitem>
+ <listitem>
+ <para>
+ Fix missing temp-install prerequisites
+ for <literal>check</literal>-like Make targets (Noah Misch)
+ </para>
+
+ <para>
+ Some non-default test procedures that are meant to work
+ like <literal>make check</literal> failed to ensure that the temporary
+ installation was up to date.
+ </para>
+ </listitem>
+
<listitem>
<para>
Sync our copy of the timezone library with IANA release tzcode2017c
diff --git a/doc/src/sgml/release-9.6.sgml b/doc/src/sgml/release-9.6.sgml
index b502be81bf2fa569dd0ca62a755559ee85b7dd6e..9c4974b9e065ef64d7b8eedbd196a83e4a1cbe35 100644
--- a/doc/src/sgml/release-9.6.sgml
+++ b/doc/src/sgml/release-9.6.sgml
@@ -23,7 +23,7 @@
</para>
<para>
- However, if you use BRIN indexes, see the first changelog entry below.
+ However, if you use BRIN indexes, see the fourth changelog entry below.
</para>
<para>
@@ -37,6 +37,66 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+ table permissions and RLS policies in all cases (Dean Rasheed)
+ </para>
+
+ <para>
+ The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+ requires <literal>SELECT</literal> permission on the columns of the
+ arbiter index, but it failed to check for that in the case of an
+ arbiter specified by constraint name.
+ In addition, for a table with row level security enabled, it failed to
+ check updated rows against the table's <literal>SELECT</literal>
+ policies (regardless of how the arbiter index was specified).
+ (CVE-2017-15099)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix BRIN index summarization to handle concurrent table extension
@@ -459,6 +519,19 @@ Branch: REL9_6_STABLE [407e66078] 2017-09-14 01:17:15 +0200
</para>
</listitem>
+ <listitem>
+ <para>
+ Fix missing temp-install prerequisites
+ for <literal>check</literal>-like Make targets (Noah Misch)
+ </para>
+
+ <para>
+ Some non-default test procedures that are meant to work
+ like <literal>make check</literal> failed to ensure that the temporary
+ installation was up to date.
+ </para>
+ </listitem>
+
<listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>