From 197671018875d278db7075f604eca02b42a33c3e Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 8 Aug 2022 11:28:47 -0400 Subject: [PATCH] Last-minute updates for release notes. Security: CVE-2022-2625 --- doc/src/sgml/release-11.sgml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/doc/src/sgml/release-11.sgml b/doc/src/sgml/release-11.sgml index 3bddd9d684..9445e5e3c7 100644 --- a/doc/src/sgml/release-11.sgml +++ b/doc/src/sgml/release-11.sgml @@ -35,6 +35,41 @@ + + Do not let extension scripts replace objects not already belonging + to the extension (Tom Lane) + + + + This change prevents extension scripts from doing CREATE + OR REPLACE if there is an existing object that does not + belong to the extension. It also prevents CREATE IF NOT + EXISTS in the same situation. This prevents a form of + trojan-horse attack in which a hostile database user could become + the owner of an extension object and then modify it to compromise + future uses of the object by other users. As a side benefit, it + also reduces the risk of accidentally replacing objects one did + not mean to. + + + + The PostgreSQL Project thanks + Sven Klemm for reporting this problem. + (CVE-2022-2625) + + + + +