From 0ba3e3ec8166907df835895279bb9b832f6ae348 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Mon, 5 Feb 2018 14:43:40 -0500
Subject: [PATCH] Last-minute updates for release notes.

Security: CVE-2018-1052, CVE-2018-1053
---
 doc/src/sgml/release-9.3.sgml | 22 ++++++++++++++++++++++
 doc/src/sgml/release-9.4.sgml | 22 ++++++++++++++++++++++
 doc/src/sgml/release-9.5.sgml | 22 ++++++++++++++++++++++
 doc/src/sgml/release-9.6.sgml | 22 ++++++++++++++++++++++
 4 files changed, 88 insertions(+)

diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml
index 8be44e33f6..6d339db8d3 100644
--- a/doc/src/sgml/release-9.3.sgml
+++ b/doc/src/sgml/release-9.3.sgml
@@ -33,6 +33,28 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Ensure that all temporary files made
+      by <application>pg_upgrade</application> are non-world-readable
+      (Tom Lane, Noah Misch)
+     </para>
+
+     <para>
+      <application>pg_upgrade</application> normally restricts its
+      temporary files to be readable and writable only by the calling user.
+      But the temporary file containing <literal>pg_dumpall -g</literal>
+      output would be group- or world-readable, or even writable, if the
+      user's <literal>umask</literal> setting allows.  In typical usage on
+      multi-user machines, the <literal>umask</literal> and/or the working
+      directory's permissions would be tight enough to prevent problems;
+      but there may be people using <application>pg_upgrade</application>
+      in scenarios where this oversight would permit disclosure of database
+      passwords to unfriendly eyes.
+      (CVE-2018-1053)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix vacuuming of tuples that were updated while key-share locked
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
index 8817fea473..da6cf38f70 100644
--- a/doc/src/sgml/release-9.4.sgml
+++ b/doc/src/sgml/release-9.4.sgml
@@ -33,6 +33,28 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Ensure that all temporary files made
+      by <application>pg_upgrade</application> are non-world-readable
+      (Tom Lane, Noah Misch)
+     </para>
+
+     <para>
+      <application>pg_upgrade</application> normally restricts its
+      temporary files to be readable and writable only by the calling user.
+      But the temporary file containing <literal>pg_dumpall -g</literal>
+      output would be group- or world-readable, or even writable, if the
+      user's <literal>umask</literal> setting allows.  In typical usage on
+      multi-user machines, the <literal>umask</literal> and/or the working
+      directory's permissions would be tight enough to prevent problems;
+      but there may be people using <application>pg_upgrade</application>
+      in scenarios where this oversight would permit disclosure of database
+      passwords to unfriendly eyes.
+      (CVE-2018-1053)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix vacuuming of tuples that were updated while key-share locked
diff --git a/doc/src/sgml/release-9.5.sgml b/doc/src/sgml/release-9.5.sgml
index aa5fa2c5c9..eb99e4b67e 100644
--- a/doc/src/sgml/release-9.5.sgml
+++ b/doc/src/sgml/release-9.5.sgml
@@ -33,6 +33,28 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Ensure that all temporary files made
+      by <application>pg_upgrade</application> are non-world-readable
+      (Tom Lane, Noah Misch)
+     </para>
+
+     <para>
+      <application>pg_upgrade</application> normally restricts its
+      temporary files to be readable and writable only by the calling user.
+      But the temporary file containing <literal>pg_dumpall -g</literal>
+      output would be group- or world-readable, or even writable, if the
+      user's <literal>umask</literal> setting allows.  In typical usage on
+      multi-user machines, the <literal>umask</literal> and/or the working
+      directory's permissions would be tight enough to prevent problems;
+      but there may be people using <application>pg_upgrade</application>
+      in scenarios where this oversight would permit disclosure of database
+      passwords to unfriendly eyes.
+      (CVE-2018-1053)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix vacuuming of tuples that were updated while key-share locked
diff --git a/doc/src/sgml/release-9.6.sgml b/doc/src/sgml/release-9.6.sgml
index 6fb02dfaab..dd685c08ad 100644
--- a/doc/src/sgml/release-9.6.sgml
+++ b/doc/src/sgml/release-9.6.sgml
@@ -39,6 +39,28 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Ensure that all temporary files made
+      by <application>pg_upgrade</application> are non-world-readable
+      (Tom Lane, Noah Misch)
+     </para>
+
+     <para>
+      <application>pg_upgrade</application> normally restricts its
+      temporary files to be readable and writable only by the calling user.
+      But the temporary file containing <literal>pg_dumpall -g</literal>
+      output would be group- or world-readable, or even writable, if the
+      user's <literal>umask</literal> setting allows.  In typical usage on
+      multi-user machines, the <literal>umask</literal> and/or the working
+      directory's permissions would be tight enough to prevent problems;
+      but there may be people using <application>pg_upgrade</application>
+      in scenarios where this oversight would permit disclosure of database
+      passwords to unfriendly eyes.
+      (CVE-2018-1053)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix vacuuming of tuples that were updated while key-share locked
-- 
2.40.0