database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-01 14:21:49 +03:00
Code

Last-minute updates for release notes.

Browse Source 
Security: CVE-2017-12172, CVE-2017-15098, CVE-2017-15099
This commit is contained in:
Tom Lane 2017-11-06 12:02:30 -05:00
parent c30f082d27
commit 50abeafc74
6 changed files with 364 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
doc/src/sgml/release-10.sgml
View File

@ -23,7 +23,7 @@
</para> </para>
<para> <para>
However, if you use BRIN indexes, see the first changelog entry below. However, if you use BRIN indexes, see the fourth changelog entry below.
</para> </para>
</sect2> </sect2>
@ -34,6 +34,92 @@
<listitem> <listitem>
<!-- <!--
Author: Dean Rasheed <dean.a.rasheed@gmail.com>
Branch: master [87b2ebd35] 2017-11-06 09:19:22 +0000
Branch: REL_10_STABLE [3f8089572] 2017-11-06 09:17:44 +0000
Branch: REL9_6_STABLE [1f23d1cd2] 2017-11-06 09:16:24 +0000
Branch: REL9_5_STABLE [045a18888] 2017-11-06 09:15:11 +0000
-->
<para>
Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
table permissions and RLS policies in all cases (Dean Rasheed)
</para>
<para>
The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
requires <literal>SELECT</literal> permission on the columns of the
arbiter index, but it failed to check for that in the case of an
arbiter specified by constraint name.
In addition, for a table with row level security enabled, it failed to
check updated rows against the table's <literal>SELECT</literal>
policies (regardless of how the arbiter index was specified).
(CVE-2017-15099)
</para>
</listitem>
<listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [b57422871] 2017-11-06 10:29:37 -0500
Branch: REL_10_STABLE [c30f082d2] 2017-11-06 10:29:38 -0500
Branch: REL9_6_STABLE [38e825632] 2017-11-06 10:29:39 -0500
Branch: REL9_5_STABLE [d5fe5fb23] 2017-11-06 10:29:40 -0500
Branch: REL9_4_STABLE [70846ee05] 2017-11-06 10:29:41 -0500
Branch: REL9_3_STABLE [c0c8807de] 2017-11-06 10:29:42 -0500
-->
<para>
Fix crash due to rowtype mismatch
in <function>json{b}_populate_recordset()</function>
(Michael Paquier, Tom Lane)
</para>
<para>
These functions used the result rowtype specified in the <literal>FROM
... AS</literal> clause without checking that it matched the actual
rowtype of the supplied tuple value. If it didn't, that would usually
result in a crash, though disclosure of server memory contents seems
possible as well.
(CVE-2017-15098)
</para>
</listitem>
<listitem>
<!--
Author: Noah Misch <noah@leadboat.com>
Branch: master [dfc015dcf] 2017-11-06 07:11:10 -0800
Branch: REL_10_STABLE [6b0b983f7] 2017-11-06 07:11:13 -0800
Branch: REL9_6_STABLE [b7d6f7507] 2017-11-06 07:11:13 -0800
Branch: REL9_5_STABLE [ed546dd06] 2017-11-06 07:11:13 -0800
Branch: REL9_4_STABLE [29d067051] 2017-11-06 07:11:13 -0800
Branch: REL9_3_STABLE [b50029768] 2017-11-06 07:11:13 -0800
Branch: REL9_2_STABLE [eda780281] 2017-11-06 07:11:13 -0800
-->
<para>
Fix sample server-start scripts to become <literal>$PGUSER</literal>
before opening <literal>$PGLOG</literal> (Noah Misch)
</para>
<para>
Previously, the postmaster log file was opened while still running as
root. The database owner could therefore mount an attack against
another system user by making <literal>$PGLOG</literal> be a symbolic
link to some other file, which would then become corrupted by appending
log messages.
</para>
<para>
By default, these scripts are not installed anywhere. Users who have
made use of them will need to manually recopy them, or apply the same
changes to their modified versions. If the
existing <literal>$PGLOG</literal> file is root-owned, it will need to
be removed or renamed out of the way before restarting the server with
the corrected script.
(CVE-2017-12172)
</para>
</listitem>
<listitem>
<!--
Author: Alvaro Herrera <alvherre@alvh.no-ip.org> Author: Alvaro Herrera <alvherre@alvh.no-ip.org>
Branch: master [ec42a1dcb] 2017-11-03 17:23:13 +0100 Branch: master [ec42a1dcb] 2017-11-03 17:23:13 +0100
Branch: REL_10_STABLE [37a856567] 2017-11-03 17:23:13 +0100 Branch: REL_10_STABLE [37a856567] 2017-11-03 17:23:13 +0100
@ -595,6 +681,26 @@ Branch: REL9_3_STABLE [deb429b51] 2017-11-03 12:40:42 +0100
<listitem> <listitem>
<!-- <!--
Author: Noah Misch <noah@leadboat.com>
Branch: master [c66b438db] 2017-11-05 18:51:08 -0800
Branch: REL_10_STABLE [937f67800] 2017-11-05 18:51:15 -0800
Branch: REL9_6_STABLE [971983f42] 2017-11-05 18:52:38 -0800
Branch: REL9_5_STABLE [014c5cd87] 2017-11-05 18:54:52 -0800
-->
<para>
Fix missing temp-install prerequisites
for <literal>check</literal>-like Make targets (Noah Misch)
</para>
<para>
Some non-default test procedures that are meant to work
like <literal>make check</literal> failed to ensure that the temporary
installation was up to date.
</para>
</listitem>
<listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us> Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [8df4ce1ea] 2017-10-23 18:15:36 -0400 Branch: master [8df4ce1ea] 2017-10-23 18:15:36 -0400
Branch: REL_10_STABLE [0cde56247] 2017-10-23 18:15:42 -0400 Branch: REL_10_STABLE [0cde56247] 2017-10-23 18:15:42 -0400

25
doc/src/sgml/release-9.2.sgml
View File

@ -40,6 +40,31 @@
<itemizedlist> <itemizedlist>
<listitem>
<para>
Fix sample server-start scripts to become <literal>$PGUSER</literal>
before opening <literal>$PGLOG</literal> (Noah Misch)
</para>
<para>
Previously, the postmaster log file was opened while still running as
root. The database owner could therefore mount an attack against
another system user by making <literal>$PGLOG</literal> be a symbolic
link to some other file, which would then become corrupted by appending
log messages.
</para>
<para>
By default, these scripts are not installed anywhere. Users who have
made use of them will need to manually recopy them, or apply the same
changes to their modified versions. If the
existing <literal>$PGLOG</literal> file is root-owned, it will need to
be removed or renamed out of the way before restarting the server with
the corrected script.
(CVE-2017-12172)
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Properly reject attempts to convert infinite float values to Properly reject attempts to convert infinite float values to

42
doc/src/sgml/release-9.3.sgml
View File

@ -34,6 +34,48 @@
<itemizedlist> <itemizedlist>
<listitem>
<para>
Fix crash due to rowtype mismatch
in <function>json{b}_populate_recordset()</function>
(Michael Paquier, Tom Lane)
</para>
<para>
These functions used the result rowtype specified in the <literal>FROM
... AS</literal> clause without checking that it matched the actual
rowtype of the supplied tuple value. If it didn't, that would usually
result in a crash, though disclosure of server memory contents seems
possible as well.
(CVE-2017-15098)
</para>
</listitem>
<listitem>
<para>
Fix sample server-start scripts to become <literal>$PGUSER</literal>
before opening <literal>$PGLOG</literal> (Noah Misch)
</para>
<para>
Previously, the postmaster log file was opened while still running as
root. The database owner could therefore mount an attack against
another system user by making <literal>$PGLOG</literal> be a symbolic
link to some other file, which would then become corrupted by appending
log messages.
</para>
<para>
By default, these scripts are not installed anywhere. Users who have
made use of them will need to manually recopy them, or apply the same
changes to their modified versions. If the
existing <literal>$PGLOG</literal> file is root-owned, it will need to
be removed or renamed out of the way before restarting the server with
the corrected script.
(CVE-2017-12172)
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Properly reject attempts to convert infinite float values to Properly reject attempts to convert infinite float values to

42
doc/src/sgml/release-9.4.sgml
View File

@ -33,6 +33,48 @@
<itemizedlist> <itemizedlist>
<listitem>
<para>
Fix crash due to rowtype mismatch
in <function>json{b}_populate_recordset()</function>
(Michael Paquier, Tom Lane)
</para>
<para>
These functions used the result rowtype specified in the <literal>FROM
... AS</literal> clause without checking that it matched the actual
rowtype of the supplied tuple value. If it didn't, that would usually
result in a crash, though disclosure of server memory contents seems
possible as well.
(CVE-2017-15098)
</para>
</listitem>
<listitem>
<para>
Fix sample server-start scripts to become <literal>$PGUSER</literal>
before opening <literal>$PGLOG</literal> (Noah Misch)
</para>
<para>
Previously, the postmaster log file was opened while still running as
root. The database owner could therefore mount an attack against
another system user by making <literal>$PGLOG</literal> be a symbolic
link to some other file, which would then become corrupted by appending
log messages.
</para>
<para>
By default, these scripts are not installed anywhere. Users who have
made use of them will need to manually recopy them, or apply the same
changes to their modified versions. If the
existing <literal>$PGLOG</literal> file is root-owned, it will need to
be removed or renamed out of the way before restarting the server with
the corrected script.
(CVE-2017-12172)
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Fix crash when logical decoding is invoked from a SPI-using function, Fix crash when logical decoding is invoked from a SPI-using function,

75
doc/src/sgml/release-9.5.sgml
View File

@ -23,7 +23,7 @@
</para> </para>
<para> <para>
However, if you use BRIN indexes, see the first changelog entry below. However, if you use BRIN indexes, see the fourth changelog entry below.
</para> </para>
<para> <para>
@ -37,6 +37,66 @@
<itemizedlist> <itemizedlist>
<listitem>
<para>
Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
table permissions and RLS policies in all cases (Dean Rasheed)
</para>
<para>
The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
requires <literal>SELECT</literal> permission on the columns of the
arbiter index, but it failed to check for that in the case of an
arbiter specified by constraint name.
In addition, for a table with row level security enabled, it failed to
check updated rows against the table's <literal>SELECT</literal>
policies (regardless of how the arbiter index was specified).
(CVE-2017-15099)
</para>
</listitem>
<listitem>
<para>
Fix crash due to rowtype mismatch
in <function>json{b}_populate_recordset()</function>
(Michael Paquier, Tom Lane)
</para>
<para>
These functions used the result rowtype specified in the <literal>FROM
... AS</literal> clause without checking that it matched the actual
rowtype of the supplied tuple value. If it didn't, that would usually
result in a crash, though disclosure of server memory contents seems
possible as well.
(CVE-2017-15098)
</para>
</listitem>
<listitem>
<para>
Fix sample server-start scripts to become <literal>$PGUSER</literal>
before opening <literal>$PGLOG</literal> (Noah Misch)
</para>
<para>
Previously, the postmaster log file was opened while still running as
root. The database owner could therefore mount an attack against
another system user by making <literal>$PGLOG</literal> be a symbolic
link to some other file, which would then become corrupted by appending
log messages.
</para>
<para>
By default, these scripts are not installed anywhere. Users who have
made use of them will need to manually recopy them, or apply the same
changes to their modified versions. If the
existing <literal>$PGLOG</literal> file is root-owned, it will need to
be removed or renamed out of the way before restarting the server with
the corrected script.
(CVE-2017-12172)
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Fix BRIN index summarization to handle concurrent table extension Fix BRIN index summarization to handle concurrent table extension
@ -259,6 +319,19 @@
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Fix missing temp-install prerequisites
for <literal>check</literal>-like Make targets (Noah Misch)
</para>
<para>
Some non-default test procedures that are meant to work
like <literal>make check</literal> failed to ensure that the temporary
installation was up to date.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Sync our copy of the timezone library with IANA release tzcode2017c Sync our copy of the timezone library with IANA release tzcode2017c

75
doc/src/sgml/release-9.6.sgml
View File

@ -23,7 +23,7 @@
</para> </para>
<para> <para>
However, if you use BRIN indexes, see the first changelog entry below. However, if you use BRIN indexes, see the fourth changelog entry below.
</para> </para>
<para> <para>
@ -37,6 +37,66 @@
<itemizedlist> <itemizedlist>
<listitem>
<para>
Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
table permissions and RLS policies in all cases (Dean Rasheed)
</para>
<para>
The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
requires <literal>SELECT</literal> permission on the columns of the
arbiter index, but it failed to check for that in the case of an
arbiter specified by constraint name.
In addition, for a table with row level security enabled, it failed to
check updated rows against the table's <literal>SELECT</literal>
policies (regardless of how the arbiter index was specified).
(CVE-2017-15099)
</para>
</listitem>
<listitem>
<para>
Fix crash due to rowtype mismatch
in <function>json{b}_populate_recordset()</function>
(Michael Paquier, Tom Lane)
</para>
<para>
These functions used the result rowtype specified in the <literal>FROM
... AS</literal> clause without checking that it matched the actual
rowtype of the supplied tuple value. If it didn't, that would usually
result in a crash, though disclosure of server memory contents seems
possible as well.
(CVE-2017-15098)
</para>
</listitem>
<listitem>
<para>
Fix sample server-start scripts to become <literal>$PGUSER</literal>
before opening <literal>$PGLOG</literal> (Noah Misch)
</para>
<para>
Previously, the postmaster log file was opened while still running as
root. The database owner could therefore mount an attack against
another system user by making <literal>$PGLOG</literal> be a symbolic
link to some other file, which would then become corrupted by appending
log messages.
</para>
<para>
By default, these scripts are not installed anywhere. Users who have
made use of them will need to manually recopy them, or apply the same
changes to their modified versions. If the
existing <literal>$PGLOG</literal> file is root-owned, it will need to
be removed or renamed out of the way before restarting the server with
the corrected script.
(CVE-2017-12172)
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Fix BRIN index summarization to handle concurrent table extension Fix BRIN index summarization to handle concurrent table extension
@ -459,6 +519,19 @@ Branch: REL9_6_STABLE [407e66078] 2017-09-14 01:17:15 +0200
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Fix missing temp-install prerequisites
for <literal>check</literal>-like Make targets (Noah Misch)
</para>
<para>
Some non-default test procedures that are meant to work
like <literal>make check</literal> failed to ensure that the temporary
installation was up to date.
</para>
</listitem>
<listitem> <listitem>
<!-- <!--
Author: Tom Lane <tgl@sss.pgh.pa.us> Author: Tom Lane <tgl@sss.pgh.pa.us>