</para>
<para>
- However, if the function marking mistakes mentioned in the first two
- changelog entries below affect you, you will want to take steps to
- correct your database catalogs.
+ However, if you use the <filename>adminpack</filename> extension,
+ you should update it as per the first changelog entry below.
+ </para>
+
+ <para>
+ Also, if the function marking mistakes mentioned in the second and
+ third changelog entries below affect you, you will want to take steps
+ to correct your database catalogs.
</para>
<para>
<itemizedlist>
+ <listitem>
+ <para>
+ Remove public execute privilege
+ from <filename>contrib/adminpack</filename>'s
+ <function>pg_logfile_rotate()</function> function (Stephen Frost)
+ </para>
+
+ <para>
+ <function>pg_logfile_rotate()</function> is a deprecated wrapper
+ for the core function <function>pg_rotate_logfile()</function>.
+ When that function was changed to rely on SQL privileges for access
+ control rather than a hard-coded superuser
+ check, <function>pg_logfile_rotate()</function> should have been
+ updated as well, but the need for this was missed. Hence,
+ if <filename>adminpack</filename> is installed, any user could
+ request a logfile rotation, creating a minor security issue.
+ </para>
+
+ <para>
+ After installing this update, administrators should
+ update <filename>adminpack</filename> by performing
+ <literal>ALTER EXTENSION adminpack UPDATE</literal> in each
+ database in which <filename>adminpack</filename> is installed.
+ (CVE-2018-1115)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix incorrect volatility markings on a few built-in functions
projects / postgresql / commitdiff