mirror of
				https://github.com/postgres/postgres.git
				synced 2025-10-21 02:52:47 +03:00 
			
		
		
		
	Last-minute updates for release notes.
Security: CVE-2017-7484, CVE-2017-7485, CVE-2017-7486
This commit is contained in:
		| @@ -29,7 +29,12 @@ | |||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
|     However, if you are upgrading from a version earlier than 9.2.20, |     However, if you use foreign data servers that make use of user | ||||||
|  |     passwords for authentication, see the first changelog entry below. | ||||||
|  |    </para> | ||||||
|  |  | ||||||
|  |    <para> | ||||||
|  |     Also, if you are upgrading from a version earlier than 9.2.20, | ||||||
|     see <xref linkend="release-9-2-20">. |     see <xref linkend="release-9-2-20">. | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
| @@ -40,6 +45,124 @@ | |||||||
|  |  | ||||||
|    <itemizedlist> |    <itemizedlist> | ||||||
|  |  | ||||||
|  |     <listitem> | ||||||
|  |      <para> | ||||||
|  |       Restrict visibility | ||||||
|  |       of <structname>pg_user_mappings</>.<structfield>umoptions</>, to | ||||||
|  |       protect passwords stored as user mapping options | ||||||
|  |       (Michael Paquier, Feike Steenbergen) | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <para> | ||||||
|  |       The previous coding allowed the owner of a foreign server object, | ||||||
|  |       or anyone he has granted server <literal>USAGE</> permission to, | ||||||
|  |       to see the options for all user mappings associated with that server. | ||||||
|  |       This might well include passwords for other users. | ||||||
|  |       Adjust the view definition to match the behavior of | ||||||
|  |       <structname>information_schema.user_mapping_options</>, namely that | ||||||
|  |       these options are visible to the user being mapped, or if the mapping | ||||||
|  |       is for <literal>PUBLIC</literal> and the current user is the server | ||||||
|  |       owner, or if the current user is a superuser. | ||||||
|  |       (CVE-2017-7486) | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <para> | ||||||
|  |       By itself, this patch will only fix the behavior in newly initdb'd | ||||||
|  |       databases.  If you wish to apply this change in an existing database, | ||||||
|  |       you will need to do the following: | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <procedure> | ||||||
|  |       <step> | ||||||
|  |        <para> | ||||||
|  |         Restart the postmaster after adding <literal>allow_system_table_mods | ||||||
|  |         = true</> to <filename>postgresql.conf</>.  (In versions | ||||||
|  |         supporting <command>ALTER SYSTEM</>, you can use that to make the | ||||||
|  |         configuration change, but you'll still need a restart.) | ||||||
|  |        </para> | ||||||
|  |       </step> | ||||||
|  |  | ||||||
|  |       <step> | ||||||
|  |        <para> | ||||||
|  |         In <emphasis>each</> database of the cluster, | ||||||
|  |         run the following commands as superuser: | ||||||
|  | <programlisting> | ||||||
|  | SET search_path = pg_catalog; | ||||||
|  | CREATE OR REPLACE VIEW pg_user_mappings AS | ||||||
|  |     SELECT | ||||||
|  |         U.oid       AS umid, | ||||||
|  |         S.oid       AS srvid, | ||||||
|  |         S.srvname   AS srvname, | ||||||
|  |         U.umuser    AS umuser, | ||||||
|  |         CASE WHEN U.umuser = 0 THEN | ||||||
|  |             'public' | ||||||
|  |         ELSE | ||||||
|  |             A.rolname | ||||||
|  |         END AS usename, | ||||||
|  |         CASE WHEN (U.umuser <> 0 AND A.rolname = current_user) | ||||||
|  |                     OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE')) | ||||||
|  |                     OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) | ||||||
|  |                     THEN U.umoptions | ||||||
|  |                  ELSE NULL END AS umoptions | ||||||
|  |     FROM pg_user_mapping U | ||||||
|  |          LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN | ||||||
|  |         pg_foreign_server S ON (U.umserver = S.oid); | ||||||
|  | </programlisting> | ||||||
|  |        </para> | ||||||
|  |       </step> | ||||||
|  |  | ||||||
|  |       <step> | ||||||
|  |        <para> | ||||||
|  |         Do not forget to include the <literal>template0</> | ||||||
|  |         and <literal>template1</> databases, or the vulnerability will still | ||||||
|  |         exist in databases you create later.  To fix <literal>template0</>, | ||||||
|  |         you'll need to temporarily make it accept connections. | ||||||
|  |         In <productname>PostgreSQL</> 9.5 and later, you can use | ||||||
|  | <programlisting> | ||||||
|  | ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; | ||||||
|  | </programlisting> | ||||||
|  |         and then after fixing <literal>template0</>, undo that with | ||||||
|  | <programlisting> | ||||||
|  | ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; | ||||||
|  | </programlisting> | ||||||
|  |         In prior versions, instead use | ||||||
|  | <programlisting> | ||||||
|  | UPDATE pg_database SET datallowconn = true WHERE datname = 'template0'; | ||||||
|  | UPDATE pg_database SET datallowconn = false WHERE datname = 'template0'; | ||||||
|  | </programlisting> | ||||||
|  |        </para> | ||||||
|  |       </step> | ||||||
|  |  | ||||||
|  |       <step> | ||||||
|  |        <para> | ||||||
|  |         Finally, remove the <literal>allow_system_table_mods</> configuration | ||||||
|  |         setting, and again restart the postmaster. | ||||||
|  |        </para> | ||||||
|  |       </step> | ||||||
|  |      </procedure> | ||||||
|  |     </listitem> | ||||||
|  |  | ||||||
|  |     <listitem> | ||||||
|  |      <para> | ||||||
|  |       Prevent exposure of statistical information via leaky operators | ||||||
|  |       (Peter Eisentraut) | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <para> | ||||||
|  |       Some selectivity estimation functions in the planner will apply | ||||||
|  |       user-defined operators to values obtained | ||||||
|  |       from <structname>pg_statistic</>, such as most common values and | ||||||
|  |       histogram entries.  This occurs before table permissions are checked, | ||||||
|  |       so a nefarious user could exploit the behavior to obtain these values | ||||||
|  |       for table columns he does not have permission to read.  To fix, | ||||||
|  |       fall back to a default estimate if the operator's implementation | ||||||
|  |       function is not certified leak-proof and the calling user does not have | ||||||
|  |       permission to read the table column whose statistics are needed. | ||||||
|  |       At least one of these criteria is satisfied in most cases in practice. | ||||||
|  |       (CVE-2017-7484) | ||||||
|  |      </para> | ||||||
|  |     </listitem> | ||||||
|  |  | ||||||
|     <listitem> |     <listitem> | ||||||
|      <para> |      <para> | ||||||
|       Fix possible corruption of <quote>init forks</> of unlogged indexes |       Fix possible corruption of <quote>init forks</> of unlogged indexes | ||||||
|   | |||||||
| @@ -23,7 +23,12 @@ | |||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
|     However, if you are upgrading from a version earlier than 9.3.16, |     However, if you use foreign data servers that make use of user | ||||||
|  |     passwords for authentication, see the first changelog entry below. | ||||||
|  |    </para> | ||||||
|  |  | ||||||
|  |    <para> | ||||||
|  |     Also, if you are upgrading from a version earlier than 9.3.16, | ||||||
|     see <xref linkend="release-9-3-16">. |     see <xref linkend="release-9-3-16">. | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
| @@ -34,6 +39,142 @@ | |||||||
|  |  | ||||||
|    <itemizedlist> |    <itemizedlist> | ||||||
|  |  | ||||||
|  |     <listitem> | ||||||
|  |      <para> | ||||||
|  |       Restrict visibility | ||||||
|  |       of <structname>pg_user_mappings</>.<structfield>umoptions</>, to | ||||||
|  |       protect passwords stored as user mapping options | ||||||
|  |       (Michael Paquier, Feike Steenbergen) | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <para> | ||||||
|  |       The previous coding allowed the owner of a foreign server object, | ||||||
|  |       or anyone he has granted server <literal>USAGE</> permission to, | ||||||
|  |       to see the options for all user mappings associated with that server. | ||||||
|  |       This might well include passwords for other users. | ||||||
|  |       Adjust the view definition to match the behavior of | ||||||
|  |       <structname>information_schema.user_mapping_options</>, namely that | ||||||
|  |       these options are visible to the user being mapped, or if the mapping | ||||||
|  |       is for <literal>PUBLIC</literal> and the current user is the server | ||||||
|  |       owner, or if the current user is a superuser. | ||||||
|  |       (CVE-2017-7486) | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <para> | ||||||
|  |       By itself, this patch will only fix the behavior in newly initdb'd | ||||||
|  |       databases.  If you wish to apply this change in an existing database, | ||||||
|  |       you will need to do the following: | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <procedure> | ||||||
|  |       <step> | ||||||
|  |        <para> | ||||||
|  |         Restart the postmaster after adding <literal>allow_system_table_mods | ||||||
|  |         = true</> to <filename>postgresql.conf</>.  (In versions | ||||||
|  |         supporting <command>ALTER SYSTEM</>, you can use that to make the | ||||||
|  |         configuration change, but you'll still need a restart.) | ||||||
|  |        </para> | ||||||
|  |       </step> | ||||||
|  |  | ||||||
|  |       <step> | ||||||
|  |        <para> | ||||||
|  |         In <emphasis>each</> database of the cluster, | ||||||
|  |         run the following commands as superuser: | ||||||
|  | <programlisting> | ||||||
|  | SET search_path = pg_catalog; | ||||||
|  | CREATE OR REPLACE VIEW pg_user_mappings AS | ||||||
|  |     SELECT | ||||||
|  |         U.oid       AS umid, | ||||||
|  |         S.oid       AS srvid, | ||||||
|  |         S.srvname   AS srvname, | ||||||
|  |         U.umuser    AS umuser, | ||||||
|  |         CASE WHEN U.umuser = 0 THEN | ||||||
|  |             'public' | ||||||
|  |         ELSE | ||||||
|  |             A.rolname | ||||||
|  |         END AS usename, | ||||||
|  |         CASE WHEN (U.umuser <> 0 AND A.rolname = current_user) | ||||||
|  |                     OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE')) | ||||||
|  |                     OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) | ||||||
|  |                     THEN U.umoptions | ||||||
|  |                  ELSE NULL END AS umoptions | ||||||
|  |     FROM pg_user_mapping U | ||||||
|  |          LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN | ||||||
|  |         pg_foreign_server S ON (U.umserver = S.oid); | ||||||
|  | </programlisting> | ||||||
|  |        </para> | ||||||
|  |       </step> | ||||||
|  |  | ||||||
|  |       <step> | ||||||
|  |        <para> | ||||||
|  |         Do not forget to include the <literal>template0</> | ||||||
|  |         and <literal>template1</> databases, or the vulnerability will still | ||||||
|  |         exist in databases you create later.  To fix <literal>template0</>, | ||||||
|  |         you'll need to temporarily make it accept connections. | ||||||
|  |         In <productname>PostgreSQL</> 9.5 and later, you can use | ||||||
|  | <programlisting> | ||||||
|  | ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; | ||||||
|  | </programlisting> | ||||||
|  |         and then after fixing <literal>template0</>, undo that with | ||||||
|  | <programlisting> | ||||||
|  | ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; | ||||||
|  | </programlisting> | ||||||
|  |         In prior versions, instead use | ||||||
|  | <programlisting> | ||||||
|  | UPDATE pg_database SET datallowconn = true WHERE datname = 'template0'; | ||||||
|  | UPDATE pg_database SET datallowconn = false WHERE datname = 'template0'; | ||||||
|  | </programlisting> | ||||||
|  |        </para> | ||||||
|  |       </step> | ||||||
|  |  | ||||||
|  |       <step> | ||||||
|  |        <para> | ||||||
|  |         Finally, remove the <literal>allow_system_table_mods</> configuration | ||||||
|  |         setting, and again restart the postmaster. | ||||||
|  |        </para> | ||||||
|  |       </step> | ||||||
|  |      </procedure> | ||||||
|  |     </listitem> | ||||||
|  |  | ||||||
|  |     <listitem> | ||||||
|  |      <para> | ||||||
|  |       Prevent exposure of statistical information via leaky operators | ||||||
|  |       (Peter Eisentraut) | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <para> | ||||||
|  |       Some selectivity estimation functions in the planner will apply | ||||||
|  |       user-defined operators to values obtained | ||||||
|  |       from <structname>pg_statistic</>, such as most common values and | ||||||
|  |       histogram entries.  This occurs before table permissions are checked, | ||||||
|  |       so a nefarious user could exploit the behavior to obtain these values | ||||||
|  |       for table columns he does not have permission to read.  To fix, | ||||||
|  |       fall back to a default estimate if the operator's implementation | ||||||
|  |       function is not certified leak-proof and the calling user does not have | ||||||
|  |       permission to read the table column whose statistics are needed. | ||||||
|  |       At least one of these criteria is satisfied in most cases in practice. | ||||||
|  |       (CVE-2017-7484) | ||||||
|  |      </para> | ||||||
|  |     </listitem> | ||||||
|  |  | ||||||
|  |     <listitem> | ||||||
|  |      <para> | ||||||
|  |       Restore <application>libpq</>'s recognition of | ||||||
|  |       the <envar>PGREQUIRESSL</> environment variable (Daniel Gustafsson) | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <para> | ||||||
|  |       Processing of this environment variable was unintentionally dropped | ||||||
|  |       in <productname>PostgreSQL</> 9.3, but its documentation remained. | ||||||
|  |       This creates a security hazard, since users might be relying on the | ||||||
|  |       environment variable to force SSL-encrypted connections, but that | ||||||
|  |       would no longer be guaranteed.  Restore handling of the variable, | ||||||
|  |       but give it lower priority than <envar>PGSSLMODE</>, to avoid | ||||||
|  |       breaking configurations that work correctly with post-9.3 code. | ||||||
|  |       (CVE-2017-7485) | ||||||
|  |      </para> | ||||||
|  |     </listitem> | ||||||
|  |  | ||||||
|     <listitem> |     <listitem> | ||||||
|      <para> |      <para> | ||||||
|       Fix possible corruption of <quote>init forks</> of unlogged indexes |       Fix possible corruption of <quote>init forks</> of unlogged indexes | ||||||
|   | |||||||
| @@ -23,8 +23,13 @@ | |||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
|     However, if you are using third-party replication tools that depend |     However, if you use foreign data servers that make use of user | ||||||
|     on <quote>logical decoding</>, see the first changelog entry below. |     passwords for authentication, see the first changelog entry below. | ||||||
|  |    </para> | ||||||
|  |  | ||||||
|  |    <para> | ||||||
|  |     Also, if you are using third-party replication tools that depend | ||||||
|  |     on <quote>logical decoding</>, see the fourth changelog entry below. | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
| @@ -38,6 +43,142 @@ | |||||||
|  |  | ||||||
|    <itemizedlist> |    <itemizedlist> | ||||||
|  |  | ||||||
|  |     <listitem> | ||||||
|  |      <para> | ||||||
|  |       Restrict visibility | ||||||
|  |       of <structname>pg_user_mappings</>.<structfield>umoptions</>, to | ||||||
|  |       protect passwords stored as user mapping options | ||||||
|  |       (Michael Paquier, Feike Steenbergen) | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <para> | ||||||
|  |       The previous coding allowed the owner of a foreign server object, | ||||||
|  |       or anyone he has granted server <literal>USAGE</> permission to, | ||||||
|  |       to see the options for all user mappings associated with that server. | ||||||
|  |       This might well include passwords for other users. | ||||||
|  |       Adjust the view definition to match the behavior of | ||||||
|  |       <structname>information_schema.user_mapping_options</>, namely that | ||||||
|  |       these options are visible to the user being mapped, or if the mapping | ||||||
|  |       is for <literal>PUBLIC</literal> and the current user is the server | ||||||
|  |       owner, or if the current user is a superuser. | ||||||
|  |       (CVE-2017-7486) | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <para> | ||||||
|  |       By itself, this patch will only fix the behavior in newly initdb'd | ||||||
|  |       databases.  If you wish to apply this change in an existing database, | ||||||
|  |       you will need to do the following: | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <procedure> | ||||||
|  |       <step> | ||||||
|  |        <para> | ||||||
|  |         Restart the postmaster after adding <literal>allow_system_table_mods | ||||||
|  |         = true</> to <filename>postgresql.conf</>.  (In versions | ||||||
|  |         supporting <command>ALTER SYSTEM</>, you can use that to make the | ||||||
|  |         configuration change, but you'll still need a restart.) | ||||||
|  |        </para> | ||||||
|  |       </step> | ||||||
|  |  | ||||||
|  |       <step> | ||||||
|  |        <para> | ||||||
|  |         In <emphasis>each</> database of the cluster, | ||||||
|  |         run the following commands as superuser: | ||||||
|  | <programlisting> | ||||||
|  | SET search_path = pg_catalog; | ||||||
|  | CREATE OR REPLACE VIEW pg_user_mappings AS | ||||||
|  |     SELECT | ||||||
|  |         U.oid       AS umid, | ||||||
|  |         S.oid       AS srvid, | ||||||
|  |         S.srvname   AS srvname, | ||||||
|  |         U.umuser    AS umuser, | ||||||
|  |         CASE WHEN U.umuser = 0 THEN | ||||||
|  |             'public' | ||||||
|  |         ELSE | ||||||
|  |             A.rolname | ||||||
|  |         END AS usename, | ||||||
|  |         CASE WHEN (U.umuser <> 0 AND A.rolname = current_user) | ||||||
|  |                     OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE')) | ||||||
|  |                     OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) | ||||||
|  |                     THEN U.umoptions | ||||||
|  |                  ELSE NULL END AS umoptions | ||||||
|  |     FROM pg_user_mapping U | ||||||
|  |          LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN | ||||||
|  |         pg_foreign_server S ON (U.umserver = S.oid); | ||||||
|  | </programlisting> | ||||||
|  |        </para> | ||||||
|  |       </step> | ||||||
|  |  | ||||||
|  |       <step> | ||||||
|  |        <para> | ||||||
|  |         Do not forget to include the <literal>template0</> | ||||||
|  |         and <literal>template1</> databases, or the vulnerability will still | ||||||
|  |         exist in databases you create later.  To fix <literal>template0</>, | ||||||
|  |         you'll need to temporarily make it accept connections. | ||||||
|  |         In <productname>PostgreSQL</> 9.5 and later, you can use | ||||||
|  | <programlisting> | ||||||
|  | ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; | ||||||
|  | </programlisting> | ||||||
|  |         and then after fixing <literal>template0</>, undo that with | ||||||
|  | <programlisting> | ||||||
|  | ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; | ||||||
|  | </programlisting> | ||||||
|  |         In prior versions, instead use | ||||||
|  | <programlisting> | ||||||
|  | UPDATE pg_database SET datallowconn = true WHERE datname = 'template0'; | ||||||
|  | UPDATE pg_database SET datallowconn = false WHERE datname = 'template0'; | ||||||
|  | </programlisting> | ||||||
|  |        </para> | ||||||
|  |       </step> | ||||||
|  |  | ||||||
|  |       <step> | ||||||
|  |        <para> | ||||||
|  |         Finally, remove the <literal>allow_system_table_mods</> configuration | ||||||
|  |         setting, and again restart the postmaster. | ||||||
|  |        </para> | ||||||
|  |       </step> | ||||||
|  |      </procedure> | ||||||
|  |     </listitem> | ||||||
|  |  | ||||||
|  |     <listitem> | ||||||
|  |      <para> | ||||||
|  |       Prevent exposure of statistical information via leaky operators | ||||||
|  |       (Peter Eisentraut) | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <para> | ||||||
|  |       Some selectivity estimation functions in the planner will apply | ||||||
|  |       user-defined operators to values obtained | ||||||
|  |       from <structname>pg_statistic</>, such as most common values and | ||||||
|  |       histogram entries.  This occurs before table permissions are checked, | ||||||
|  |       so a nefarious user could exploit the behavior to obtain these values | ||||||
|  |       for table columns he does not have permission to read.  To fix, | ||||||
|  |       fall back to a default estimate if the operator's implementation | ||||||
|  |       function is not certified leak-proof and the calling user does not have | ||||||
|  |       permission to read the table column whose statistics are needed. | ||||||
|  |       At least one of these criteria is satisfied in most cases in practice. | ||||||
|  |       (CVE-2017-7484) | ||||||
|  |      </para> | ||||||
|  |     </listitem> | ||||||
|  |  | ||||||
|  |     <listitem> | ||||||
|  |      <para> | ||||||
|  |       Restore <application>libpq</>'s recognition of | ||||||
|  |       the <envar>PGREQUIRESSL</> environment variable (Daniel Gustafsson) | ||||||
|  |      </para> | ||||||
|  |  | ||||||
|  |      <para> | ||||||
|  |       Processing of this environment variable was unintentionally dropped | ||||||
|  |       in <productname>PostgreSQL</> 9.3, but its documentation remained. | ||||||
|  |       This creates a security hazard, since users might be relying on the | ||||||
|  |       environment variable to force SSL-encrypted connections, but that | ||||||
|  |       would no longer be guaranteed.  Restore handling of the variable, | ||||||
|  |       but give it lower priority than <envar>PGSSLMODE</>, to avoid | ||||||
|  |       breaking configurations that work correctly with post-9.3 code. | ||||||
|  |       (CVE-2017-7485) | ||||||
|  |      </para> | ||||||
|  |     </listitem> | ||||||
|  |  | ||||||
|     <listitem> |     <listitem> | ||||||
|      <para> |      <para> | ||||||
|       Fix possibly-invalid initial snapshot during logical decoding |       Fix possibly-invalid initial snapshot during logical decoding | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user