From: Tom Lane Date: Mon, 6 Aug 2018 17:13:40 +0000 (-0400) Subject: Last-minute updates for release notes. X-Git-Tag: REL_11_BETA3~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=749839c4d53c60de2e51ef82a03f1084e3ec1f6c;p=postgresql Last-minute updates for release notes. Security: CVE-2018-10915, CVE-2018-10925 --- diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml index 1dcb6d9a86..f1b0f2e0bf 100644 --- a/doc/src/sgml/release-10.sgml +++ b/doc/src/sgml/release-10.sgml @@ -35,6 +35,73 @@ + + Fix failure to reset libpq's state fully + between connection attempts (Tom Lane) + + + + An unprivileged user of dblink + or postgres_fdw could bypass the checks intended + to prevent use of server-side credentials, such as + a ~/.pgpass file owned by the operating-system + user running the server. Servers allowing peer authentication on + local connections are particularly vulnerable. Other attacks such + as SQL injection into a postgres_fdw session + are also possible. + Attacking postgres_fdw in this way requires the + ability to create a foreign server object with selected connection + parameters, but any user with access to dblink + could exploit the problem. + In general, an attacker with the ability to select the connection + parameters for a libpq-using application + could cause mischief, though other plausible attack scenarios are + harder to think of. + Our thanks to Andrew Krasichkov for reporting this issue. + (CVE-2018-10915) + + + + + + + Fix INSERT ... ON CONFLICT UPDATE through a view + that isn't just SELECT * FROM ... + (Dean Rasheed, Amit Langote) + + + + Erroneous expansion of an updatable view could lead to crashes + or attribute ... has the wrong type errors, if the + view's SELECT list doesn't match one-to-one with + the underlying table's columns. + Furthermore, this bug could be leveraged to allow updates of columns + that an attacking user lacks UPDATE privilege for, + if that user has INSERT and UPDATE + privileges for some other column(s) of the table. + Any user could also use it for disclosure of server memory. + (CVE-2018-10925) + + + + + - - Fix INSERT ... ON CONFLICT UPDATE through a view - that isn't just SELECT * FROM ... - (Dean Rasheed, Amit Langote) - - - - Erroneous expansion of an updatable view could lead to crashes - or attribute ... has the wrong type errors, if the - view's SELECT list doesn't match one-to-one with - the underlying table's columns. - - - - -