<itemizedlist>
+ <listitem>
+ <para>
+ Require execute permission on the trigger function for
+ <command>CREATE TRIGGER</> (Robert Haas)
+ </para>
+
+ <para>
+ This missing check could allow another user to execute a trigger
+ function with forged input data, by installing it on a table he owns.
+ This is only of significance for trigger functions marked
+ <literal>SECURITY DEFINER</>, since otherwise trigger functions run
+ as the table owner anyway. (CVE-2012-0866)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Convert newlines to spaces in names written in <application>pg_dump</>
+ comments (Robert Haas)
+ </para>
+
+ <para>
+ <application>pg_dump</> was incautious about sanitizing object names
+ that are emitted within SQL comments in its output script. A name
+ containing a newline would at least render the script syntactically
+ incorrect. Maliciously crafted object names could present a SQL
+ injection risk when the script is reloaded. (CVE-2012-0868)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix btree index corruption from insertions concurrent with vacuuming
<itemizedlist>
+ <listitem>
+ <para>
+ Require execute permission on the trigger function for
+ <command>CREATE TRIGGER</> (Robert Haas)
+ </para>
+
+ <para>
+ This missing check could allow another user to execute a trigger
+ function with forged input data, by installing it on a table he owns.
+ This is only of significance for trigger functions marked
+ <literal>SECURITY DEFINER</>, since otherwise trigger functions run
+ as the table owner anyway. (CVE-2012-0866)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Remove arbitrary limitation on length of common name in SSL
+ certificates (Heikki Linnakangas)
+ </para>
+
+ <para>
+ Both <application>libpq</> and the server truncated the common name
+ extracted from an SSL certificate at 32 bytes. Normally this would
+ cause nothing worse than an unexpected verification failure, but there
+ are some rather-implausible scenarios in which it might allow one
+ certificate holder to impersonate another. The victim would have to
+ have a common name exactly 32 bytes long, and the attacker would have
+ to persuade a trusted CA to issue a certificate in which the common
+ name has that string as a prefix. Impersonating a server would also
+ require some additional exploit to redirect client connections.
+ (CVE-2012-0867)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Convert newlines to spaces in names written in <application>pg_dump</>
+ comments (Robert Haas)
+ </para>
+
+ <para>
+ <application>pg_dump</> was incautious about sanitizing object names
+ that are emitted within SQL comments in its output script. A name
+ containing a newline would at least render the script syntactically
+ incorrect. Maliciously crafted object names could present a SQL
+ injection risk when the script is reloaded. (CVE-2012-0868)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix btree index corruption from insertions concurrent with vacuuming
<itemizedlist>
+ <listitem>
+ <para>
+ Require execute permission on the trigger function for
+ <command>CREATE TRIGGER</> (Robert Haas)
+ </para>
+
+ <para>
+ This missing check could allow another user to execute a trigger
+ function with forged input data, by installing it on a table he owns.
+ This is only of significance for trigger functions marked
+ <literal>SECURITY DEFINER</>, since otherwise trigger functions run
+ as the table owner anyway. (CVE-2012-0866)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Remove arbitrary limitation on length of common name in SSL
+ certificates (Heikki Linnakangas)
+ </para>
+
+ <para>
+ Both <application>libpq</> and the server truncated the common name
+ extracted from an SSL certificate at 32 bytes. Normally this would
+ cause nothing worse than an unexpected verification failure, but there
+ are some rather-implausible scenarios in which it might allow one
+ certificate holder to impersonate another. The victim would have to
+ have a common name exactly 32 bytes long, and the attacker would have
+ to persuade a trusted CA to issue a certificate in which the common
+ name has that string as a prefix. Impersonating a server would also
+ require some additional exploit to redirect client connections.
+ (CVE-2012-0867)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Convert newlines to spaces in names written in <application>pg_dump</>
+ comments (Robert Haas)
+ </para>
+
+ <para>
+ <application>pg_dump</> was incautious about sanitizing object names
+ that are emitted within SQL comments in its output script. A name
+ containing a newline would at least render the script syntactically
+ incorrect. Maliciously crafted object names could present a SQL
+ injection risk when the script is reloaded. (CVE-2012-0868)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix btree index corruption from insertions concurrent with vacuuming
<itemizedlist>
+ <listitem>
+ <para>
+ Require execute permission on the trigger function for
+ <command>CREATE TRIGGER</> (Robert Haas)
+ </para>
+
+ <para>
+ This missing check could allow another user to execute a trigger
+ function with forged input data, by installing it on a table he owns.
+ This is only of significance for trigger functions marked
+ <literal>SECURITY DEFINER</>, since otherwise trigger functions run
+ as the table owner anyway. (CVE-2012-0866)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Remove arbitrary limitation on length of common name in SSL
+ certificates (Heikki Linnakangas)
+ </para>
+
+ <para>
+ Both <application>libpq</> and the server truncated the common name
+ extracted from an SSL certificate at 32 bytes. Normally this would
+ cause nothing worse than an unexpected verification failure, but there
+ are some rather-implausible scenarios in which it might allow one
+ certificate holder to impersonate another. The victim would have to
+ have a common name exactly 32 bytes long, and the attacker would have
+ to persuade a trusted CA to issue a certificate in which the common
+ name has that string as a prefix. Impersonating a server would also
+ require some additional exploit to redirect client connections.
+ (CVE-2012-0867)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Convert newlines to spaces in names written in <application>pg_dump</>
+ comments (Robert Haas)
+ </para>
+
+ <para>
+ <application>pg_dump</> was incautious about sanitizing object names
+ that are emitted within SQL comments in its output script. A name
+ containing a newline would at least render the script syntactically
+ incorrect. Maliciously crafted object names could present a SQL
+ injection risk when the script is reloaded. (CVE-2012-0868)
+ </para>
+ </listitem>
+
<listitem>
<para>
Fix btree index corruption from insertions concurrent with vacuuming
</para>
</listitem>
+ <listitem>
+ <para>
+ Allow MinGW builds to use standardly-named OpenSSL libraries
+ (Tomasz Ostrowski)
+ </para>
+ </listitem>
+
</itemizedlist>
</sect2>
projects / postgresql / commitdiff