Last-minute updates for release notes.

Add entries for security and not-quite-security issues.

Security: CVE-2015-5288, CVE-2015-5289

doc/src/sgml/release-9.0.sgml

@@ -40,6 +40,20 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Fix <filename>contrib/pgcrypto</> to detect and report
+      too-short <function>crypt()</> salts (Josh Kupershmidt)
+     </para>
+
+     <para>
+      Certain invalid salt arguments crashed the server or disclosed a few
+      bytes of server memory.  We have not ruled out the viability of
+      attacks that arrange for presence of confidential information in the
+      disclosed bytes, but they seem unlikely.  (CVE-2015-5288)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix subtransaction cleanup after a portal (cursor) belonging to an
@@ -124,6 +138,14 @@
      </para>
     </listitem>
 
+    <listitem>
+     <para>
+      Guard against hard-to-reach stack overflows involving record types,
+      range types, <type>json</>, <type>jsonb</>, <type>tsquery</>,
+      <type>ltxtquery</> and <type>query_int</> (Noah Misch)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix handling of <literal>DOW</> and <literal>DOY</> in datetime input

doc/src/sgml/release-9.1.sgml

@@ -34,6 +34,20 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Fix <filename>contrib/pgcrypto</> to detect and report
+      too-short <function>crypt()</> salts (Josh Kupershmidt)
+     </para>
+
+     <para>
+      Certain invalid salt arguments crashed the server or disclosed a few
+      bytes of server memory.  We have not ruled out the viability of
+      attacks that arrange for presence of confidential information in the
+      disclosed bytes, but they seem unlikely.  (CVE-2015-5288)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix subtransaction cleanup after a portal (cursor) belonging to an
@@ -130,6 +144,14 @@
      </para>
     </listitem>
 
+    <listitem>
+     <para>
+      Guard against hard-to-reach stack overflows involving record types,
+      range types, <type>json</>, <type>jsonb</>, <type>tsquery</>,
+      <type>ltxtquery</> and <type>query_int</> (Noah Misch)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix handling of <literal>DOW</> and <literal>DOY</> in datetime input

doc/src/sgml/release-9.2.sgml

@@ -34,6 +34,20 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Fix <filename>contrib/pgcrypto</> to detect and report
+      too-short <function>crypt()</> salts (Josh Kupershmidt)
+     </para>
+
+     <para>
+      Certain invalid salt arguments crashed the server or disclosed a few
+      bytes of server memory.  We have not ruled out the viability of
+      attacks that arrange for presence of confidential information in the
+      disclosed bytes, but they seem unlikely.  (CVE-2015-5288)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix subtransaction cleanup after a portal (cursor) belonging to an
@@ -136,6 +150,14 @@ Branch: REL9_1_STABLE [9b1b9446f] 2015-08-27 12:22:10 -0400
      </para>
     </listitem>
 
+    <listitem>
+     <para>
+      Guard against hard-to-reach stack overflows involving record types,
+      range types, <type>json</>, <type>jsonb</>, <type>tsquery</>,
+      <type>ltxtquery</> and <type>query_int</> (Noah Misch)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix handling of <literal>DOW</> and <literal>DOY</> in datetime input