From a7e51a407658c65b3c3458bbbbff6c46a3c182b2 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 10 Aug 2020 15:35:46 -0400 Subject: [PATCH] Last-minute updates for release notes. Security: CVE-2020-14349, CVE-2020-14350 --- doc/src/sgml/release-9.6.sgml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/doc/src/sgml/release-9.6.sgml b/doc/src/sgml/release-9.6.sgml index ba458932e13..1b1ed23477a 100644 --- a/doc/src/sgml/release-9.6.sgml +++ b/doc/src/sgml/release-9.6.sgml @@ -35,6 +35,39 @@ + + Make contrib modules' installation scripts more secure (Tom Lane) + + + + Attacks similar to those described in CVE-2018-1058 could be carried + out against an extension installation script, if the attacker can + create objects in either the extension's target schema or the schema + of some prerequisite extension. Since extensions often require + superuser privilege to install, this can open a path to obtaining + superuser privilege. To mitigate this risk, be more careful about + the search_path used to run an installation + script; disable check_function_bodies within the + script; and fix catalog-adjustment queries used in some contrib + modules to ensure they are secure. Also provide documentation to + help third-party extension authors make their installation scripts + secure. This is not a complete solution; extensions that depend on + other extensions can still be at risk if installed carelessly. + (CVE-2020-14350) + + + + +