From 2da33cbd52aaf5cbc4bc6c4e42e8879ee75a859d Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Mon, 5 Nov 2018 10:48:23 -0500
Subject: [PATCH] Last-minute updates for release notes.

Security: CVE-2018-16850
---
 doc/src/sgml/release-10.sgml | 41 ++++++++++++++++++-----
 doc/src/sgml/release-11.sgml | 65 ++++++++++++++++++++++++++++--------
 2 files changed, 84 insertions(+), 22 deletions(-)

diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml
index b18626fb69..c268ec2a0e 100644
--- a/doc/src/sgml/release-10.sgml
+++ b/doc/src/sgml/release-10.sgml
@@ -38,6 +38,20 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Ensure proper quoting of transition table names
+      when <application>pg_dump</application> emits <command>CREATE TRIGGER
+      ... REFERENCING</command> commands (Tom Lane)
+     </para>
+
+     <para>
+      This oversight could be exploited by an unprivileged user to gain
+      superuser privileges during the next dump/reload
+      or <application>pg_upgrade</application> run.  (CVE-2018-16850)
+     </para>
+    </listitem>
+
     <listitem>
 <!--
 Author: Tom Lane <tgl@sss.pgh.pa.us>
@@ -202,6 +216,25 @@ Branch: REL9_3_STABLE [591d0ac88] 2018-09-15 13:42:34 -0400
      </para>
     </listitem>
 
+    <listitem>
+     <para>
+      Prevent creation of a partition in a trigger attached to its parent
+      table (Amit Langote)
+     </para>
+
+     <para>
+      Ideally we'd allow that, but for the moment it has to be blocked to
+      avoid crashes.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix problems with applying <literal>ON COMMIT DELETE ROWS</literal> to
+      a partitioned temporary table (Amit Langote)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix character-class checks to not fail on Windows for Unicode
@@ -899,14 +932,6 @@ Branch: REL_10_STABLE [cb282eab1] 2018-08-22 14:23:03 +0900
      </para>
     </listitem>
 
-    <listitem>
-     <para>
-      Ensure proper quoting of transition table names
-      when <application>pg_dump</application> emits <command>CREATE TRIGGER
-      ... REFERENCING</command> commands (Tom Lane)
-     </para>
-    </listitem>
-
     <listitem>
 <!--
 Author: Tom Lane <tgl@sss.pgh.pa.us>
diff --git a/doc/src/sgml/release-11.sgml b/doc/src/sgml/release-11.sgml
index 3e81746bb3..1862e8a335 100644
--- a/doc/src/sgml/release-11.sgml
+++ b/doc/src/sgml/release-11.sgml
@@ -35,6 +35,26 @@
 
     <listitem>
 <!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [350410be4] 2018-10-19 00:50:16 -0400
+Branch: REL_11_STABLE [06292bb94] 2018-10-19 00:50:16 -0400
+Branch: REL_10_STABLE [09397f0ed] 2018-10-19 00:50:17 -0400
+-->
+     <para>
+      Ensure proper quoting of transition table names
+      when <application>pg_dump</application> emits <command>CREATE TRIGGER
+      ... REFERENCING</command> commands (Tom Lane)
+     </para>
+
+     <para>
+      This oversight could be exploited by an unprivileged user to gain
+      superuser privileges during the next dump/reload
+      or <application>pg_upgrade</application> run.  (CVE-2018-16850)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
 Author: Alvaro Herrera <alvherre@alvh.no-ip.org>
 Branch: master [dfa608141] 2018-11-03 13:25:19 -0300
 Branch: REL_11_STABLE [33e6c34c3] 2018-11-03 13:25:29 -0300
@@ -132,6 +152,37 @@ Branch: REL_11_STABLE [6eb31cedb] 2018-11-03 16:00:00 -0700
 
     <listitem>
 <!--
+Author: Michael Paquier <michael@paquier.xyz>
+Branch: master [dc3e436b1] 2018-11-05 11:04:02 +0900
+Branch: REL_11_STABLE [7c222d5e5] 2018-11-05 11:04:14 +0900
+Branch: REL_10_STABLE [8aad248f7] 2018-11-05 11:04:20 +0900
+-->
+     <para>
+      Prevent creation of a partition in a trigger attached to its parent
+      table (Amit Langote)
+     </para>
+
+     <para>
+      Ideally we'd allow that, but for the moment it has to be blocked to
+      avoid crashes.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Michael Paquier <michael@paquier.xyz>
+Branch: master [4bc772e2a] 2018-11-05 09:14:33 +0900
+Branch: REL_11_STABLE [948af5232] 2018-11-05 09:15:08 +0900
+Branch: REL_10_STABLE [70c38e708] 2018-11-05 09:15:25 +0900
+-->
+     <para>
+      Fix problems with applying <literal>ON COMMIT DELETE ROWS</literal> to
+      a partitioned temporary table (Amit Langote)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
 Author: Tom Lane <tgl@sss.pgh.pa.us>
 Branch: master [981dc2baa] 2018-11-03 13:56:10 -0400
 Branch: REL_11_STABLE [bf4a9562e] 2018-11-03 13:56:10 -0400
@@ -233,20 +284,6 @@ Branch: REL9_5_STABLE [ac3be116a] 2018-10-19 22:22:57 -0400
 
     <listitem>
 <!--
-Author: Tom Lane <tgl@sss.pgh.pa.us>
-Branch: master [350410be4] 2018-10-19 00:50:16 -0400
-Branch: REL_11_STABLE [06292bb94] 2018-10-19 00:50:16 -0400
-Branch: REL_10_STABLE [09397f0ed] 2018-10-19 00:50:17 -0400
--->
-     <para>
-      Ensure proper quoting of transition table names
-      when <application>pg_dump</application> emits <command>CREATE TRIGGER
-      ... REFERENCING</command> commands (Tom Lane)
-     </para>
-    </listitem>
-
-    <listitem>
-<!--
 Author: Michael Paquier <michael@paquier.xyz>
 Branch: master [d55241af7] 2018-10-19 22:44:12 +0900
 Branch: REL_11_STABLE [cc7f27eae] 2018-10-19 22:45:07 +0900