1
0
mirror of https://github.com/postgres/postgres.git synced 2025-10-24 01:29:19 +03:00

Last-minute updates for release notes.

Security: CVE-2018-1052, CVE-2018-1053
This commit is contained in:
Tom Lane
2018-02-05 14:43:40 -05:00
parent 0a5dcba2ab
commit 9a12ac37be
2 changed files with 44 additions and 0 deletions

View File

@@ -33,6 +33,28 @@
<itemizedlist>
<listitem>
<para>
Ensure that all temporary files made
by <application>pg_upgrade</application> are non-world-readable
(Tom Lane, Noah Misch)
</para>
<para>
<application>pg_upgrade</application> normally restricts its
temporary files to be readable and writable only by the calling user.
But the temporary file containing <literal>pg_dumpall -g</literal>
output would be group- or world-readable, or even writable, if the
user's <literal>umask</literal> setting allows. In typical usage on
multi-user machines, the <literal>umask</literal> and/or the working
directory's permissions would be tight enough to prevent problems;
but there may be people using <application>pg_upgrade</application>
in scenarios where this oversight would permit disclosure of database
passwords to unfriendly eyes.
(CVE-2018-1053)
</para>
</listitem>
<listitem>
<para>
Fix vacuuming of tuples that were updated while key-share locked

View File

@@ -33,6 +33,28 @@
<itemizedlist>
<listitem>
<para>
Ensure that all temporary files made
by <application>pg_upgrade</application> are non-world-readable
(Tom Lane, Noah Misch)
</para>
<para>
<application>pg_upgrade</application> normally restricts its
temporary files to be readable and writable only by the calling user.
But the temporary file containing <literal>pg_dumpall -g</literal>
output would be group- or world-readable, or even writable, if the
user's <literal>umask</literal> setting allows. In typical usage on
multi-user machines, the <literal>umask</literal> and/or the working
directory's permissions would be tight enough to prevent problems;
but there may be people using <application>pg_upgrade</application>
in scenarios where this oversight would permit disclosure of database
passwords to unfriendly eyes.
(CVE-2018-1053)
</para>
</listitem>
<listitem>
<para>
Fix vacuuming of tuples that were updated while key-share locked