Last-minute updates for release notes.

Security: CVE-2018-10915, CVE-2018-10925
2025-06-08 22:02:03 +03:00 · 2018-08-06 13:13:41 -04:00 · 2018-08-06 13:13:41 -04:00 · c54f04820a
commit c54f04820a
parent 6de9766b8d
2 changed files with 56 additions and 0 deletions
--- a/doc/src/sgml/release-9.3.sgml
+++ b/doc/src/sgml/release-9.3.sgml
@ -39,6 +39,34 @@
   <itemizedlist>
    <listitem>
     <para>
      Fix failure to reset <application>libpq</application>'s state fully
      between connection attempts (Tom Lane)
     </para>
     <para>
      An unprivileged user of <filename>dblink</filename>
      or <filename>postgres_fdw</filename> could bypass the checks intended
      to prevent use of server-side credentials, such as
      a <filename>~/.pgpass</filename> file owned by the operating-system
      user running the server.  Servers allowing peer authentication on
      local connections are particularly vulnerable.  Other attacks such
      as SQL injection into a <filename>postgres_fdw</filename> session
      are also possible.
      Attacking <filename>postgres_fdw</filename> in this way requires the
      ability to create a foreign server object with selected connection
      parameters, but any user with access to <filename>dblink</filename>
      could exploit the problem.
      In general, an attacker with the ability to select the connection
      parameters for a <application>libpq</application>-using application
      could cause mischief, though other plausible attack scenarios are
      harder to think of.
      Our thanks to Andrew Krasichkov for reporting this issue.
      (CVE-2018-10915)
     </para>
    </listitem>
    <listitem>
     <para>
      Ensure that updates to the <structfield>relfrozenxid</structfield>
--- a/doc/src/sgml/release-9.4.sgml
+++ b/doc/src/sgml/release-9.4.sgml
@ -33,6 +33,34 @@
   <itemizedlist>
    <listitem>
     <para>
      Fix failure to reset <application>libpq</application>'s state fully
      between connection attempts (Tom Lane)
     </para>
     <para>
      An unprivileged user of <filename>dblink</filename>
      or <filename>postgres_fdw</filename> could bypass the checks intended
      to prevent use of server-side credentials, such as
      a <filename>~/.pgpass</filename> file owned by the operating-system
      user running the server.  Servers allowing peer authentication on
      local connections are particularly vulnerable.  Other attacks such
      as SQL injection into a <filename>postgres_fdw</filename> session
      are also possible.
      Attacking <filename>postgres_fdw</filename> in this way requires the
      ability to create a foreign server object with selected connection
      parameters, but any user with access to <filename>dblink</filename>
      could exploit the problem.
      In general, an attacker with the ability to select the connection
      parameters for a <application>libpq</application>-using application
      could cause mischief, though other plausible attack scenarios are
      harder to think of.
      Our thanks to Andrew Krasichkov for reporting this issue.
      (CVE-2018-10915)
     </para>
    </listitem>
    <listitem>
     <para>
      Ensure that updates to the <structfield>relfrozenxid</structfield>