From e0ee93053998b159e395deed7c42e02b1f921552 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Mon, 6 Aug 2018 13:13:40 -0400
Subject: [PATCH] Last-minute updates for release notes.
Security: CVE-2018-10915, CVE-2018-10925
---
doc/src/sgml/release-10.sgml | 90 ++++++++++++++++++++++++++---------
doc/src/sgml/release-9.3.sgml | 28 +++++++++++
doc/src/sgml/release-9.4.sgml | 28 +++++++++++
doc/src/sgml/release-9.5.sgml | 64 +++++++++++++++++++------
doc/src/sgml/release-9.6.sgml | 64 +++++++++++++++++++------
5 files changed, 221 insertions(+), 53 deletions(-)
diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml
index 1dcb6d9a86..f1b0f2e0bf 100644
--- a/doc/src/sgml/release-10.sgml
+++ b/doc/src/sgml/release-10.sgml
@@ -35,6 +35,73 @@
<listitem>
<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [d1c6a14ba] 2018-08-06 10:53:35 -0400
+Branch: REL_11_STABLE [f6f735f78] 2018-08-06 10:53:35 -0400
+Branch: REL_10_STABLE [ab5400469] 2018-08-06 10:53:35 -0400
+Branch: REL9_6_STABLE [a8094d0fe] 2018-08-06 10:53:35 -0400
+Branch: REL9_5_STABLE [7aabfd1d8] 2018-08-06 10:53:35 -0400
+Branch: REL9_4_STABLE [6de9766b8] 2018-08-06 10:53:35 -0400
+Branch: REL9_3_STABLE [243de06be] 2018-08-06 10:53:35 -0400
+-->
+ <para>
+ Fix failure to reset <application>libpq</application>'s state fully
+ between connection attempts (Tom Lane)
+ </para>
+
+ <para>
+ An unprivileged user of <filename>dblink</filename>
+ or <filename>postgres_fdw</filename> could bypass the checks intended
+ to prevent use of server-side credentials, such as
+ a <filename>~/.pgpass</filename> file owned by the operating-system
+ user running the server. Servers allowing peer authentication on
+ local connections are particularly vulnerable. Other attacks such
+ as SQL injection into a <filename>postgres_fdw</filename> session
+ are also possible.
+ Attacking <filename>postgres_fdw</filename> in this way requires the
+ ability to create a foreign server object with selected connection
+ parameters, but any user with access to <filename>dblink</filename>
+ could exploit the problem.
+ In general, an attacker with the ability to select the connection
+ parameters for a <application>libpq</application>-using application
+ could cause mischief, though other plausible attack scenarios are
+ harder to think of.
+ Our thanks to Andrew Krasichkov for reporting this issue.
+ (CVE-2018-10915)
+ </para>
+ </listitem>
+
+ <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [b8a1247a3] 2018-08-04 19:38:58 -0400
+Branch: REL_11_STABLE [e7154b6ac] 2018-08-04 19:38:58 -0400
+Branch: REL_10_STABLE [f6a124d01] 2018-08-04 19:38:58 -0400
+Branch: REL9_6_STABLE [b484bffe7] 2018-08-04 19:38:58 -0400
+Branch: REL9_5_STABLE [5ad143cda] 2018-08-04 19:38:59 -0400
+-->
+ <para>
+ Fix <literal>INSERT ... ON CONFLICT UPDATE</literal> through a view
+ that isn't just <literal>SELECT * FROM ...</literal>
+ (Dean Rasheed, Amit Langote)
+ </para>
+
+ <para>
+ Erroneous expansion of an updatable view could lead to crashes
+ or <quote>attribute ... has the wrong type</quote> errors, if the
+ view's <literal>SELECT</literal> list doesn't match one-to-one with
+ the underlying table's columns.
+ Furthermore, this bug could be leveraged to allow updates of columns
+ that an attacking user lacks <literal>UPDATE</literal> privilege for,
+ if that user has <literal>INSERT</literal> and <literal>UPDATE</literal>
+ privileges for some other column(s) of the table.
+ Any user could also use it for disclosure of server memory.
+ (CVE-2018-10925)
+ </para>
+ </listitem>
+
+ <listitem>
+<!--
Author: Andres Freund <andres@anarazel.de>
Branch: master Release: REL_11_BR [a54e1f158] 2018-06-12 11:13:21 -0700
Branch: REL_10_STABLE [2ce64caaf] 2018-06-12 11:13:21 -0700
@@ -260,29 +327,6 @@ Branch: REL_10_STABLE [4beb25c63] 2018-07-16 17:55:13 -0400
<listitem>
<!--
-Author: Tom Lane <tgl@sss.pgh.pa.us>
-Branch: master [b8a1247a3] 2018-08-04 19:38:58 -0400
-Branch: REL_11_STABLE [e7154b6ac] 2018-08-04 19:38:58 -0400
-Branch: REL_10_STABLE [f6a124d01] 2018-08-04 19:38:58 -0400
-Branch: REL9_6_STABLE [b484bffe7] 2018-08-04 19:38:58 -0400
-Branch: REL9_5_STABLE [5ad143cda] 2018-08-04 19:38:59 -0400
--->
- <para>
- Fix <literal>INSERT ... ON CONFLICT UPDATE</literal> through a view
- that isn't just <literal>SELECT * FROM ...</literal>
- (Dean Rasheed, Amit Langote)
- </para>
-
- <para>
- Erroneous expansion of an updatable view could lead to crashes
- or <quote>attribute ... has the wrong type</quote> errors, if the
- view's <literal>SELECT</literal> list doesn't match one-to-one with
- the underlying table's columns.
- </para>
- </listitem>
-
- <listitem>
-<!--
Author: Peter Geoghegan <pg@bowt.ie>
Branch: master [b3f919da0] 2018-08-03 15:11:31 -0700
Branch: REL_11_STABLE [b9612e5cf] 2018-08-03 14:45:02 -0700
diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml
index 9ded45fa96..630d124ae2 100644
--- a/doc/src/sgml/release-9.3.sgml
+++ b/doc/src/sgml/release-9.3.sgml
@@ -39,6 +39,34 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix failure to reset <application>libpq</application>'s state fully
+ between connection attempts (Tom Lane)
+ </para>
+
+ <para>
+ An unprivileged user of <filename>dblink</filename>
+ or <filename>postgres_fdw</filename> could bypass the checks intended
+ to prevent use of server-side credentials, such as
+ a <filename>~/.pgpass</filename> file owned by the operating-system
+ user running the server. Servers allowing peer authentication on
+ local connections are particularly vulnerable. Other attacks such
+ as SQL injection into a <filename>postgres_fdw</filename> session
+ are also possible.
+ Attacking <filename>postgres_fdw</filename> in this way requires the
+ ability to create a foreign server object with selected connection
+ parameters, but any user with access to <filename>dblink</filename>
+ could exploit the problem.
+ In general, an attacker with the ability to select the connection
+ parameters for a <application>libpq</application>-using application
+ could cause mischief, though other plausible attack scenarios are
+ harder to think of.
+ Our thanks to Andrew Krasichkov for reporting this issue.
+ (CVE-2018-10915)
+ </para>
+ </listitem>
+
<listitem>
<para>
Ensure that updates to the <structfield>relfrozenxid</structfield>
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
index 6a01fbd4be..632661016b 100644
--- a/doc/src/sgml/release-9.4.sgml
+++ b/doc/src/sgml/release-9.4.sgml
@@ -33,6 +33,34 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix failure to reset <application>libpq</application>'s state fully
+ between connection attempts (Tom Lane)
+ </para>
+
+ <para>
+ An unprivileged user of <filename>dblink</filename>
+ or <filename>postgres_fdw</filename> could bypass the checks intended
+ to prevent use of server-side credentials, such as
+ a <filename>~/.pgpass</filename> file owned by the operating-system
+ user running the server. Servers allowing peer authentication on
+ local connections are particularly vulnerable. Other attacks such
+ as SQL injection into a <filename>postgres_fdw</filename> session
+ are also possible.
+ Attacking <filename>postgres_fdw</filename> in this way requires the
+ ability to create a foreign server object with selected connection
+ parameters, but any user with access to <filename>dblink</filename>
+ could exploit the problem.
+ In general, an attacker with the ability to select the connection
+ parameters for a <application>libpq</application>-using application
+ could cause mischief, though other plausible attack scenarios are
+ harder to think of.
+ Our thanks to Andrew Krasichkov for reporting this issue.
+ (CVE-2018-10915)
+ </para>
+ </listitem>
+
<listitem>
<para>
Ensure that updates to the <structfield>relfrozenxid</structfield>
diff --git a/doc/src/sgml/release-9.5.sgml b/doc/src/sgml/release-9.5.sgml
index d414ab4f71..7ac703fcb2 100644
--- a/doc/src/sgml/release-9.5.sgml
+++ b/doc/src/sgml/release-9.5.sgml
@@ -33,6 +33,55 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix failure to reset <application>libpq</application>'s state fully
+ between connection attempts (Tom Lane)
+ </para>
+
+ <para>
+ An unprivileged user of <filename>dblink</filename>
+ or <filename>postgres_fdw</filename> could bypass the checks intended
+ to prevent use of server-side credentials, such as
+ a <filename>~/.pgpass</filename> file owned by the operating-system
+ user running the server. Servers allowing peer authentication on
+ local connections are particularly vulnerable. Other attacks such
+ as SQL injection into a <filename>postgres_fdw</filename> session
+ are also possible.
+ Attacking <filename>postgres_fdw</filename> in this way requires the
+ ability to create a foreign server object with selected connection
+ parameters, but any user with access to <filename>dblink</filename>
+ could exploit the problem.
+ In general, an attacker with the ability to select the connection
+ parameters for a <application>libpq</application>-using application
+ could cause mischief, though other plausible attack scenarios are
+ harder to think of.
+ Our thanks to Andrew Krasichkov for reporting this issue.
+ (CVE-2018-10915)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix <literal>INSERT ... ON CONFLICT UPDATE</literal> through a view
+ that isn't just <literal>SELECT * FROM ...</literal>
+ (Dean Rasheed, Amit Langote)
+ </para>
+
+ <para>
+ Erroneous expansion of an updatable view could lead to crashes
+ or <quote>attribute ... has the wrong type</quote> errors, if the
+ view's <literal>SELECT</literal> list doesn't match one-to-one with
+ the underlying table's columns.
+ Furthermore, this bug could be leveraged to allow updates of columns
+ that an attacking user lacks <literal>UPDATE</literal> privilege for,
+ if that user has <literal>INSERT</literal> and <literal>UPDATE</literal>
+ privileges for some other column(s) of the table.
+ Any user could also use it for disclosure of server memory.
+ (CVE-2018-10925)
+ </para>
+ </listitem>
+
<listitem>
<para>
Ensure that updates to the <structfield>relfrozenxid</structfield>
@@ -140,21 +189,6 @@
</para>
</listitem>
- <listitem>
- <para>
- Fix <literal>INSERT ... ON CONFLICT UPDATE</literal> through a view
- that isn't just <literal>SELECT * FROM ...</literal>
- (Dean Rasheed, Amit Langote)
- </para>
-
- <para>
- Erroneous expansion of an updatable view could lead to crashes
- or <quote>attribute ... has the wrong type</quote> errors, if the
- view's <literal>SELECT</literal> list doesn't match one-to-one with
- the underlying table's columns.
- </para>
- </listitem>
-
<listitem>
<para>
Ensure a table's cached index list is correctly rebuilt after an index
diff --git a/doc/src/sgml/release-9.6.sgml b/doc/src/sgml/release-9.6.sgml
index 4e6b721efb..acb6a88b31 100644
--- a/doc/src/sgml/release-9.6.sgml
+++ b/doc/src/sgml/release-9.6.sgml
@@ -33,6 +33,55 @@
<itemizedlist>
+ <listitem>
+ <para>
+ Fix failure to reset <application>libpq</application>'s state fully
+ between connection attempts (Tom Lane)
+ </para>
+
+ <para>
+ An unprivileged user of <filename>dblink</filename>
+ or <filename>postgres_fdw</filename> could bypass the checks intended
+ to prevent use of server-side credentials, such as
+ a <filename>~/.pgpass</filename> file owned by the operating-system
+ user running the server. Servers allowing peer authentication on
+ local connections are particularly vulnerable. Other attacks such
+ as SQL injection into a <filename>postgres_fdw</filename> session
+ are also possible.
+ Attacking <filename>postgres_fdw</filename> in this way requires the
+ ability to create a foreign server object with selected connection
+ parameters, but any user with access to <filename>dblink</filename>
+ could exploit the problem.
+ In general, an attacker with the ability to select the connection
+ parameters for a <application>libpq</application>-using application
+ could cause mischief, though other plausible attack scenarios are
+ harder to think of.
+ Our thanks to Andrew Krasichkov for reporting this issue.
+ (CVE-2018-10915)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Fix <literal>INSERT ... ON CONFLICT UPDATE</literal> through a view
+ that isn't just <literal>SELECT * FROM ...</literal>
+ (Dean Rasheed, Amit Langote)
+ </para>
+
+ <para>
+ Erroneous expansion of an updatable view could lead to crashes
+ or <quote>attribute ... has the wrong type</quote> errors, if the
+ view's <literal>SELECT</literal> list doesn't match one-to-one with
+ the underlying table's columns.
+ Furthermore, this bug could be leveraged to allow updates of columns
+ that an attacking user lacks <literal>UPDATE</literal> privilege for,
+ if that user has <literal>INSERT</literal> and <literal>UPDATE</literal>
+ privileges for some other column(s) of the table.
+ Any user could also use it for disclosure of server memory.
+ (CVE-2018-10925)
+ </para>
+ </listitem>
+
<listitem>
<para>
Ensure that updates to the <structfield>relfrozenxid</structfield>
@@ -140,21 +189,6 @@
</para>
</listitem>
- <listitem>
- <para>
- Fix <literal>INSERT ... ON CONFLICT UPDATE</literal> through a view
- that isn't just <literal>SELECT * FROM ...</literal>
- (Dean Rasheed, Amit Langote)
- </para>
-
- <para>
- Erroneous expansion of an updatable view could lead to crashes
- or <quote>attribute ... has the wrong type</quote> errors, if the
- view's <literal>SELECT</literal> list doesn't match one-to-one with
- the underlying table's columns.
- </para>
- </listitem>
-
<listitem>
<para>
Ensure a table's cached index list is correctly rebuilt after an index
--
2.40.0