From 09189cb6059f28aea59cca4f419c535123f499b8 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 23 Feb 2012 17:48:05 -0500 Subject: [PATCH] Last-minute release note updates. Security: CVE-2012-0866, CVE-2012-0867, CVE-2012-0868 --- doc/src/sgml/release-8.3.sgml | 30 +++++++++++++++++++++ doc/src/sgml/release-8.4.sgml | 50 +++++++++++++++++++++++++++++++++++ doc/src/sgml/release-9.0.sgml | 50 +++++++++++++++++++++++++++++++++++ 3 files changed, 130 insertions(+) diff --git a/doc/src/sgml/release-8.3.sgml b/doc/src/sgml/release-8.3.sgml index e80743f463..09f867b527 100644 --- a/doc/src/sgml/release-8.3.sgml +++ b/doc/src/sgml/release-8.3.sgml @@ -34,6 +34,36 @@ + + + Require execute permission on the trigger function for + CREATE TRIGGER (Robert Haas) + + + + This missing check could allow another user to execute a trigger + function with forged input data, by installing it on a table he owns. + This is only of significance for trigger functions marked + SECURITY DEFINER, since otherwise trigger functions run + as the table owner anyway. (CVE-2012-0866) + + + + + + Convert newlines to spaces in names written in pg_dump + comments (Robert Haas) + + + + pg_dump was incautious about sanitizing object names + that are emitted within SQL comments in its output script. A name + containing a newline would at least render the script syntactically + incorrect. Maliciously crafted object names could present a SQL + injection risk when the script is reloaded. (CVE-2012-0868) + + + Fix btree index corruption from insertions concurrent with vacuuming diff --git a/doc/src/sgml/release-8.4.sgml b/doc/src/sgml/release-8.4.sgml index 2cddc5ec0c..7dbc78e500 100644 --- a/doc/src/sgml/release-8.4.sgml +++ b/doc/src/sgml/release-8.4.sgml @@ -34,6 +34,56 @@ + + + Require execute permission on the trigger function for + CREATE TRIGGER (Robert Haas) + + + + This missing check could allow another user to execute a trigger + function with forged input data, by installing it on a table he owns. + This is only of significance for trigger functions marked + SECURITY DEFINER, since otherwise trigger functions run + as the table owner anyway. (CVE-2012-0866) + + + + + + Remove arbitrary limitation on length of common name in SSL + certificates (Heikki Linnakangas) + + + + Both libpq and the server truncated the common name + extracted from an SSL certificate at 32 bytes. Normally this would + cause nothing worse than an unexpected verification failure, but there + are some rather-implausible scenarios in which it might allow one + certificate holder to impersonate another. The victim would have to + have a common name exactly 32 bytes long, and the attacker would have + to persuade a trusted CA to issue a certificate in which the common + name has that string as a prefix. Impersonating a server would also + require some additional exploit to redirect client connections. + (CVE-2012-0867) + + + + + + Convert newlines to spaces in names written in pg_dump + comments (Robert Haas) + + + + pg_dump was incautious about sanitizing object names + that are emitted within SQL comments in its output script. A name + containing a newline would at least render the script syntactically + incorrect. Maliciously crafted object names could present a SQL + injection risk when the script is reloaded. (CVE-2012-0868) + + + Fix btree index corruption from insertions concurrent with vacuuming diff --git a/doc/src/sgml/release-9.0.sgml b/doc/src/sgml/release-9.0.sgml index 7b29590bb1..16de221dc1 100644 --- a/doc/src/sgml/release-9.0.sgml +++ b/doc/src/sgml/release-9.0.sgml @@ -34,6 +34,56 @@ + + + Require execute permission on the trigger function for + CREATE TRIGGER (Robert Haas) + + + + This missing check could allow another user to execute a trigger + function with forged input data, by installing it on a table he owns. + This is only of significance for trigger functions marked + SECURITY DEFINER, since otherwise trigger functions run + as the table owner anyway. (CVE-2012-0866) + + + + + + Remove arbitrary limitation on length of common name in SSL + certificates (Heikki Linnakangas) + + + + Both libpq and the server truncated the common name + extracted from an SSL certificate at 32 bytes. Normally this would + cause nothing worse than an unexpected verification failure, but there + are some rather-implausible scenarios in which it might allow one + certificate holder to impersonate another. The victim would have to + have a common name exactly 32 bytes long, and the attacker would have + to persuade a trusted CA to issue a certificate in which the common + name has that string as a prefix. Impersonating a server would also + require some additional exploit to redirect client connections. + (CVE-2012-0867) + + + + + + Convert newlines to spaces in names written in pg_dump + comments (Robert Haas) + + + + pg_dump was incautious about sanitizing object names + that are emitted within SQL comments in its output script. A name + containing a newline would at least render the script syntactically + incorrect. Maliciously crafted object names could present a SQL + injection risk when the script is reloaded. (CVE-2012-0868) + + + Fix btree index corruption from insertions concurrent with vacuuming -- 2.40.0