From b2ce60703ab431a1d6c10f50587ea5f5e984af2e Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 23 Feb 2012 17:47:52 -0500 Subject: [PATCH] Last-minute release note updates. Security: CVE-2012-0866, CVE-2012-0867, CVE-2012-0868 --- doc/src/sgml/release-8.3.sgml | 30 ++++++++++++++++++ doc/src/sgml/release-8.4.sgml | 50 ++++++++++++++++++++++++++++++ doc/src/sgml/release-9.0.sgml | 50 ++++++++++++++++++++++++++++++ doc/src/sgml/release-9.1.sgml | 57 +++++++++++++++++++++++++++++++++++ 4 files changed, 187 insertions(+) diff --git a/doc/src/sgml/release-8.3.sgml b/doc/src/sgml/release-8.3.sgml index e80743f463..09f867b527 100644 --- a/doc/src/sgml/release-8.3.sgml +++ b/doc/src/sgml/release-8.3.sgml @@ -34,6 +34,36 @@ + + + Require execute permission on the trigger function for + CREATE TRIGGER (Robert Haas) + + + + This missing check could allow another user to execute a trigger + function with forged input data, by installing it on a table he owns. + This is only of significance for trigger functions marked + SECURITY DEFINER, since otherwise trigger functions run + as the table owner anyway. (CVE-2012-0866) + + + + + + Convert newlines to spaces in names written in pg_dump + comments (Robert Haas) + + + + pg_dump was incautious about sanitizing object names + that are emitted within SQL comments in its output script. A name + containing a newline would at least render the script syntactically + incorrect. Maliciously crafted object names could present a SQL + injection risk when the script is reloaded. (CVE-2012-0868) + + + Fix btree index corruption from insertions concurrent with vacuuming diff --git a/doc/src/sgml/release-8.4.sgml b/doc/src/sgml/release-8.4.sgml index 2cddc5ec0c..7dbc78e500 100644 --- a/doc/src/sgml/release-8.4.sgml +++ b/doc/src/sgml/release-8.4.sgml @@ -34,6 +34,56 @@ + + + Require execute permission on the trigger function for + CREATE TRIGGER (Robert Haas) + + + + This missing check could allow another user to execute a trigger + function with forged input data, by installing it on a table he owns. + This is only of significance for trigger functions marked + SECURITY DEFINER, since otherwise trigger functions run + as the table owner anyway. (CVE-2012-0866) + + + + + + Remove arbitrary limitation on length of common name in SSL + certificates (Heikki Linnakangas) + + + + Both libpq and the server truncated the common name + extracted from an SSL certificate at 32 bytes. Normally this would + cause nothing worse than an unexpected verification failure, but there + are some rather-implausible scenarios in which it might allow one + certificate holder to impersonate another. The victim would have to + have a common name exactly 32 bytes long, and the attacker would have + to persuade a trusted CA to issue a certificate in which the common + name has that string as a prefix. Impersonating a server would also + require some additional exploit to redirect client connections. + (CVE-2012-0867) + + + + + + Convert newlines to spaces in names written in pg_dump + comments (Robert Haas) + + + + pg_dump was incautious about sanitizing object names + that are emitted within SQL comments in its output script. A name + containing a newline would at least render the script syntactically + incorrect. Maliciously crafted object names could present a SQL + injection risk when the script is reloaded. (CVE-2012-0868) + + + Fix btree index corruption from insertions concurrent with vacuuming diff --git a/doc/src/sgml/release-9.0.sgml b/doc/src/sgml/release-9.0.sgml index 7b29590bb1..16de221dc1 100644 --- a/doc/src/sgml/release-9.0.sgml +++ b/doc/src/sgml/release-9.0.sgml @@ -34,6 +34,56 @@ + + + Require execute permission on the trigger function for + CREATE TRIGGER (Robert Haas) + + + + This missing check could allow another user to execute a trigger + function with forged input data, by installing it on a table he owns. + This is only of significance for trigger functions marked + SECURITY DEFINER, since otherwise trigger functions run + as the table owner anyway. (CVE-2012-0866) + + + + + + Remove arbitrary limitation on length of common name in SSL + certificates (Heikki Linnakangas) + + + + Both libpq and the server truncated the common name + extracted from an SSL certificate at 32 bytes. Normally this would + cause nothing worse than an unexpected verification failure, but there + are some rather-implausible scenarios in which it might allow one + certificate holder to impersonate another. The victim would have to + have a common name exactly 32 bytes long, and the attacker would have + to persuade a trusted CA to issue a certificate in which the common + name has that string as a prefix. Impersonating a server would also + require some additional exploit to redirect client connections. + (CVE-2012-0867) + + + + + + Convert newlines to spaces in names written in pg_dump + comments (Robert Haas) + + + + pg_dump was incautious about sanitizing object names + that are emitted within SQL comments in its output script. A name + containing a newline would at least render the script syntactically + incorrect. Maliciously crafted object names could present a SQL + injection risk when the script is reloaded. (CVE-2012-0868) + + + Fix btree index corruption from insertions concurrent with vacuuming diff --git a/doc/src/sgml/release-9.1.sgml b/doc/src/sgml/release-9.1.sgml index 46abbec10a..ca53f5fc7d 100644 --- a/doc/src/sgml/release-9.1.sgml +++ b/doc/src/sgml/release-9.1.sgml @@ -34,6 +34,56 @@ + + + Require execute permission on the trigger function for + CREATE TRIGGER (Robert Haas) + + + + This missing check could allow another user to execute a trigger + function with forged input data, by installing it on a table he owns. + This is only of significance for trigger functions marked + SECURITY DEFINER, since otherwise trigger functions run + as the table owner anyway. (CVE-2012-0866) + + + + + + Remove arbitrary limitation on length of common name in SSL + certificates (Heikki Linnakangas) + + + + Both libpq and the server truncated the common name + extracted from an SSL certificate at 32 bytes. Normally this would + cause nothing worse than an unexpected verification failure, but there + are some rather-implausible scenarios in which it might allow one + certificate holder to impersonate another. The victim would have to + have a common name exactly 32 bytes long, and the attacker would have + to persuade a trusted CA to issue a certificate in which the common + name has that string as a prefix. Impersonating a server would also + require some additional exploit to redirect client connections. + (CVE-2012-0867) + + + + + + Convert newlines to spaces in names written in pg_dump + comments (Robert Haas) + + + + pg_dump was incautious about sanitizing object names + that are emitted within SQL comments in its output script. A name + containing a newline would at least render the script syntactically + incorrect. Maliciously crafted object names could present a SQL + injection risk when the script is reloaded. (CVE-2012-0868) + + + Fix btree index corruption from insertions concurrent with vacuuming @@ -576,6 +626,13 @@ + + + Allow MinGW builds to use standardly-named OpenSSL libraries + (Tomasz Ostrowski) + + + -- 2.40.0