Last-minute updates for release notes.

Security: CVE-2023-39417, CVE-2023-39418
This commit is contained in:
Tom Lane 2023-08-07 12:50:15 -04:00
parent de494ec14f
commit 948757fe49
1 changed files with 88 additions and 1 deletions

View File

@ -24,7 +24,7 @@
<para>
However, if you use BRIN indexes, it may be advisable to reindex them;
see the first changelog entry below.
see the third changelog entry below.
</para>
<para>
@ -40,6 +40,72 @@
<listitem>
<!--
Author: Noah Misch <noah@leadboat.com>
Branch: master [cd5f2a357] 2023-08-07 06:05:56 -0700
Branch: REL_16_STABLE [f53511010] 2023-08-07 06:05:59 -0700
Branch: REL_15_STABLE [de494ec14] 2023-08-07 06:06:00 -0700
Branch: REL_14_STABLE [d4648a74b] 2023-08-07 06:06:00 -0700
Branch: REL_13_STABLE [b1b585e0f] 2023-08-07 06:06:00 -0700
Branch: REL_12_STABLE [eb044d8f0] 2023-08-07 06:06:00 -0700
Branch: REL_11_STABLE [919ebb023] 2023-08-07 06:06:01 -0700
-->
<para>
Disallow substituting a schema or owner name into an extension script
if the name contains a quote, backslash, or dollar sign (Noah Misch)
</para>
<para>
This restriction guards against SQL-injection hazards for trusted
extensions.
</para>
<para>
The <productname>PostgreSQL</productname> Project thanks Micah Gate,
Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting
this problem.
(CVE-2023-39417)
</para>
</listitem>
<listitem>
<!--
Author: Dean Rasheed <dean.a.rasheed@gmail.com>
Branch: master [c2e08b04c] 2023-08-07 09:28:47 +0100
Branch: REL_16_STABLE [67a007dc0] 2023-08-07 09:27:09 +0100
Branch: REL_15_STABLE [cb2ae5741] 2023-08-07 09:24:27 +0100
-->
<para>
Fix <command>MERGE</command> to enforce row security policies
properly (Dean Rasheed)
</para>
<para>
When <command>MERGE</command> performs an <literal>UPDATE</literal>
action, it should enforce any <literal>UPDATE</literal> or
<literal>SELECT</literal> RLS policies defined on the target table,
to be consistent with the way that a plain <command>UPDATE</command>
with a <literal>WHERE</literal> clause works. Instead it was
enforcing <literal>INSERT</literal> RLS policies for both
<literal>INSERT</literal> and <literal>UPDATE</literal> actions.
</para>
<para>
In addition, when <command>MERGE</command> performs a <literal>DO
NOTHING</literal> action, it applied the target table's
<literal>DELETE</literal> RLS policies to existing rows, even though
those rows are not being deleted. While it's not a security
problem, this could result in unwanted errors.
</para>
<para>
The <productname>PostgreSQL</productname> Project thanks
Dean Rasheed for reporting this problem.
(CVE-2023-39418)
</para>
</listitem>
<listitem>
<!--
Author: Tomas Vondra <tomas.vondra@postgresql.org>
Branch: master Release: REL_16_BR [3581cbdcd] 2023-05-19 01:29:44 +0200
Branch: REL_15_STABLE [e18769323] 2023-05-19 00:15:13 +0200
@ -240,6 +306,27 @@ Branch: REL_11_STABLE [f6345f03f] 2023-06-19 13:03:17 +1200
<listitem>
<!--
Author: David Rowley <drowley@postgresql.org>
Branch: master [990c3650c] 2023-08-07 22:14:21 +1200
Branch: REL_16_STABLE [ae89129aa] 2023-08-07 22:14:54 +1200
Branch: REL_15_STABLE [71662373b] 2023-08-07 22:15:23 +1200
Branch: REL_14_STABLE [bf315354e] 2023-08-07 22:15:50 +1200
-->
<para>
Don't Memoize lateral joins with volatile join conditions
(Richard Guo)
</para>
<para>
Applying Memoize to a sub-plan that contains volatile filter
conditions is likely to lead to wrong answers. The check to avoid
doing this missed some cases that can arise when
using <literal>LATERAL</literal>.
</para>
</listitem>
<listitem>
<!--
Author: Etsuro Fujita <efujita@postgresql.org>
Branch: master [6f80a8d9c] 2023-07-28 15:45:00 +0900
Branch: REL_16_STABLE [695f5deb7] 2023-07-28 15:45:01 +0900