From d69c0710a68068c7a415aaefd2c7d51f3197fe38 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Mon, 6 Nov 2017 12:02:30 -0500
Subject: [PATCH] Last-minute updates for release notes.
Security: CVE-2017-12172, CVE-2017-15098, CVE-2017-15099
---
doc/src/sgml/release-9.2.sgml | 25 ++++++++++++
doc/src/sgml/release-9.3.sgml | 42 ++++++++++++++++++++
doc/src/sgml/release-9.4.sgml | 42 ++++++++++++++++++++
doc/src/sgml/release-9.5.sgml | 75 ++++++++++++++++++++++++++++++++++-
doc/src/sgml/release-9.6.sgml | 75 ++++++++++++++++++++++++++++++++++-
5 files changed, 257 insertions(+), 2 deletions(-)
diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml
index f0283ad500f..e1bfb2e2b22 100644
--- a/doc/src/sgml/release-9.2.sgml
+++ b/doc/src/sgml/release-9.2.sgml
@@ -40,6 +40,31 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Properly reject attempts to convert infinite float values to
diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml
index 160da1ca8b9..b198f85d802 100644
--- a/doc/src/sgml/release-9.3.sgml
+++ b/doc/src/sgml/release-9.3.sgml
@@ -34,6 +34,48 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Properly reject attempts to convert infinite float values to
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
index d5621fd1ce7..722a105c89c 100644
--- a/doc/src/sgml/release-9.4.sgml
+++ b/doc/src/sgml/release-9.4.sgml
@@ -33,6 +33,48 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix crash when logical decoding is invoked from a SPI-using function,
diff --git a/doc/src/sgml/release-9.5.sgml b/doc/src/sgml/release-9.5.sgml
index 24565a650eb..86a3c309c05 100644
--- a/doc/src/sgml/release-9.5.sgml
+++ b/doc/src/sgml/release-9.5.sgml
@@ -23,7 +23,7 @@
</para>
<para>
- However, if you use BRIN indexes, see the first changelog entry below.
+ However, if you use BRIN indexes, see the fourth changelog entry below.
</para>
<para>
@@ -37,6 +37,66 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+ table permissions and RLS policies in all cases (Dean Rasheed)
+ </para>
+
+ <para>
+ The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+ requires <literal>SELECT</literal> permission on the columns of the
+ arbiter index, but it failed to check for that in the case of an
+ arbiter specified by constraint name.
+ In addition, for a table with row level security enabled, it failed to
+ check updated rows against the table's <literal>SELECT</literal>
+ policies (regardless of how the arbiter index was specified).
+ (CVE-2017-15099)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix BRIN index summarization to handle concurrent table extension
@@ -259,6 +319,19 @@
</para>
</listitem>
+ <listitem>
+ <para>
+ Fix missing temp-install prerequisites
+ for <literal>check</literal>-like Make targets (Noah Misch)
+ </para>
+
+ <para>
+ Some non-default test procedures that are meant to work
+ like <literal>make check</literal> failed to ensure that the temporary
+ installation was up to date.
+ </para>
+ </listitem>
+
<listitem>
<para>
Sync our copy of the timezone library with IANA release tzcode2017c
diff --git a/doc/src/sgml/release-9.6.sgml b/doc/src/sgml/release-9.6.sgml
index b502be81bf2..9c4974b9e06 100644
--- a/doc/src/sgml/release-9.6.sgml
+++ b/doc/src/sgml/release-9.6.sgml
@@ -23,7 +23,7 @@
</para>
<para>
- However, if you use BRIN indexes, see the first changelog entry below.
+ However, if you use BRIN indexes, see the fourth changelog entry below.
</para>
<para>
@@ -37,6 +37,66 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+ table permissions and RLS policies in all cases (Dean Rasheed)
+ </para>
+
+ <para>
+ The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+ requires <literal>SELECT</literal> permission on the columns of the
+ arbiter index, but it failed to check for that in the case of an
+ arbiter specified by constraint name.
+ In addition, for a table with row level security enabled, it failed to
+ check updated rows against the table's <literal>SELECT</literal>
+ policies (regardless of how the arbiter index was specified).
+ (CVE-2017-15099)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix crash due to rowtype mismatch
+ in <function>json{b}_populate_recordset()</function>
+ (Michael Paquier, Tom Lane)
+ </para>
+
+ <para>
+ These functions used the result rowtype specified in the <literal>FROM
+ ... AS</literal> clause without checking that it matched the actual
+ rowtype of the supplied tuple value. If it didn't, that would usually
+ result in a crash, though disclosure of server memory contents seems
+ possible as well.
+ (CVE-2017-15098)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix sample server-start scripts to become <literal>$PGUSER</literal>
+ before opening <literal>$PGLOG</literal> (Noah Misch)
+ </para>
+
+ <para>
+ Previously, the postmaster log file was opened while still running as
+ root. The database owner could therefore mount an attack against
+ another system user by making <literal>$PGLOG</literal> be a symbolic
+ link to some other file, which would then become corrupted by appending
+ log messages.
+ </para>
+
+ <para>
+ By default, these scripts are not installed anywhere. Users who have
+ made use of them will need to manually recopy them, or apply the same
+ changes to their modified versions. If the
+ existing <literal>$PGLOG</literal> file is root-owned, it will need to
+ be removed or renamed out of the way before restarting the server with
+ the corrected script.
+ (CVE-2017-12172)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix BRIN index summarization to handle concurrent table extension
@@ -459,6 +519,19 @@ Branch: REL9_6_STABLE [407e66078] 2017-09-14 01:17:15 +0200
</para>
</listitem>
+ <listitem>
+ <para>
+ Fix missing temp-install prerequisites
+ for <literal>check</literal>-like Make targets (Noah Misch)
+ </para>
+
+ <para>
+ Some non-default test procedures that are meant to work
+ like <literal>make check</literal> failed to ensure that the temporary
+ installation was up to date.
+ </para>
+ </listitem>
+
<listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
--
GitLab