rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Last-minute updates for release notes. 

Security: CVE-2017-12172, CVE-2017-15098, CVE-2017-15099
This commit is contained in:
Tom Lane 2017-11-06 12:02:30 -05:00
parent 38e825632b
commit d69c0710a6
5 changed files with 257 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
doc/src/sgml/release-9.2.sgml
View File

@ -40,6 +40,31 @@
<itemizedlist>
<listitem>
<para>
Fix sample server-start scripts to become <literal>$PGUSER</literal>
before opening <literal>$PGLOG</literal> (Noah Misch)
</para>
<para>
Previously, the postmaster log file was opened while still running as
root. The database owner could therefore mount an attack against
another system user by making <literal>$PGLOG</literal> be a symbolic
link to some other file, which would then become corrupted by appending
log messages.
</para>
<para>
By default, these scripts are not installed anywhere. Users who have
made use of them will need to manually recopy them, or apply the same
changes to their modified versions. If the
existing <literal>$PGLOG</literal> file is root-owned, it will need to
be removed or renamed out of the way before restarting the server with
the corrected script.
(CVE-2017-12172)
</para>
</listitem>
<listitem>
<para>
Properly reject attempts to convert infinite float values to

42
doc/src/sgml/release-9.3.sgml
View File

@ -34,6 +34,48 @@
<itemizedlist>
<listitem>
<para>
Fix crash due to rowtype mismatch
in <function>json{b}_populate_recordset()</function>
(Michael Paquier, Tom Lane)
</para>
<para>
These functions used the result rowtype specified in the <literal>FROM
... AS</literal> clause without checking that it matched the actual
rowtype of the supplied tuple value. If it didn't, that would usually
result in a crash, though disclosure of server memory contents seems
possible as well.
(CVE-2017-15098)
</para>
</listitem>
<listitem>
<para>
Fix sample server-start scripts to become <literal>$PGUSER</literal>
before opening <literal>$PGLOG</literal> (Noah Misch)
</para>
<para>
Previously, the postmaster log file was opened while still running as
root. The database owner could therefore mount an attack against
another system user by making <literal>$PGLOG</literal> be a symbolic
link to some other file, which would then become corrupted by appending
log messages.
</para>
<para>
By default, these scripts are not installed anywhere. Users who have
made use of them will need to manually recopy them, or apply the same
changes to their modified versions. If the
existing <literal>$PGLOG</literal> file is root-owned, it will need to
be removed or renamed out of the way before restarting the server with
the corrected script.
(CVE-2017-12172)
</para>
</listitem>
<listitem>
<para>
Properly reject attempts to convert infinite float values to

42
doc/src/sgml/release-9.4.sgml
View File

@ -33,6 +33,48 @@
<itemizedlist>
<listitem>
<para>
Fix crash due to rowtype mismatch
in <function>json{b}_populate_recordset()</function>
(Michael Paquier, Tom Lane)
</para>
<para>
These functions used the result rowtype specified in the <literal>FROM
... AS</literal> clause without checking that it matched the actual
rowtype of the supplied tuple value. If it didn't, that would usually
result in a crash, though disclosure of server memory contents seems
possible as well.
(CVE-2017-15098)
</para>
</listitem>
<listitem>
<para>
Fix sample server-start scripts to become <literal>$PGUSER</literal>
before opening <literal>$PGLOG</literal> (Noah Misch)
</para>
<para>
Previously, the postmaster log file was opened while still running as
root. The database owner could therefore mount an attack against
another system user by making <literal>$PGLOG</literal> be a symbolic
link to some other file, which would then become corrupted by appending
log messages.
</para>
<para>
By default, these scripts are not installed anywhere. Users who have
made use of them will need to manually recopy them, or apply the same
changes to their modified versions. If the
existing <literal>$PGLOG</literal> file is root-owned, it will need to
be removed or renamed out of the way before restarting the server with
the corrected script.
(CVE-2017-12172)
</para>
</listitem>
<listitem>
<para>
Fix crash when logical decoding is invoked from a SPI-using function,

75
doc/src/sgml/release-9.5.sgml
View File

@ -23,7 +23,7 @@
</para>
<para>
However, if you use BRIN indexes, see the first changelog entry below.
However, if you use BRIN indexes, see the fourth changelog entry below.
</para>
<para>
@ -37,6 +37,66 @@
<itemizedlist>
<listitem>
<para>
Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
table permissions and RLS policies in all cases (Dean Rasheed)
</para>
<para>
The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
requires <literal>SELECT</literal> permission on the columns of the
arbiter index, but it failed to check for that in the case of an
arbiter specified by constraint name.
In addition, for a table with row level security enabled, it failed to
check updated rows against the table's <literal>SELECT</literal>
policies (regardless of how the arbiter index was specified).
(CVE-2017-15099)
</para>
</listitem>
<listitem>
<para>
Fix crash due to rowtype mismatch
in <function>json{b}_populate_recordset()</function>
(Michael Paquier, Tom Lane)
</para>
<para>
These functions used the result rowtype specified in the <literal>FROM
... AS</literal> clause without checking that it matched the actual
rowtype of the supplied tuple value. If it didn't, that would usually
result in a crash, though disclosure of server memory contents seems
possible as well.
(CVE-2017-15098)
</para>
</listitem>
<listitem>
<para>
Fix sample server-start scripts to become <literal>$PGUSER</literal>
before opening <literal>$PGLOG</literal> (Noah Misch)
</para>
<para>
Previously, the postmaster log file was opened while still running as
root. The database owner could therefore mount an attack against
another system user by making <literal>$PGLOG</literal> be a symbolic
link to some other file, which would then become corrupted by appending
log messages.
</para>
<para>
By default, these scripts are not installed anywhere. Users who have
made use of them will need to manually recopy them, or apply the same
changes to their modified versions. If the
existing <literal>$PGLOG</literal> file is root-owned, it will need to
be removed or renamed out of the way before restarting the server with
the corrected script.
(CVE-2017-12172)
</para>
</listitem>
<listitem>
<para>
Fix BRIN index summarization to handle concurrent table extension
@ -259,6 +319,19 @@
</para>
</listitem>
<listitem>
<para>
Fix missing temp-install prerequisites
for <literal>check</literal>-like Make targets (Noah Misch)
</para>
<para>
Some non-default test procedures that are meant to work
like <literal>make check</literal> failed to ensure that the temporary
installation was up to date.
</para>
</listitem>
<listitem>
<para>
Sync our copy of the timezone library with IANA release tzcode2017c

75
doc/src/sgml/release-9.6.sgml
View File

@ -23,7 +23,7 @@
</para>
<para>
However, if you use BRIN indexes, see the first changelog entry below.
However, if you use BRIN indexes, see the fourth changelog entry below.
</para>
<para>
@ -37,6 +37,66 @@
<itemizedlist>
<listitem>
<para>
Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
table permissions and RLS policies in all cases (Dean Rasheed)
</para>
<para>
The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
requires <literal>SELECT</literal> permission on the columns of the
arbiter index, but it failed to check for that in the case of an
arbiter specified by constraint name.
In addition, for a table with row level security enabled, it failed to
check updated rows against the table's <literal>SELECT</literal>
policies (regardless of how the arbiter index was specified).
(CVE-2017-15099)
</para>
</listitem>
<listitem>
<para>
Fix crash due to rowtype mismatch
in <function>json{b}_populate_recordset()</function>
(Michael Paquier, Tom Lane)
</para>
<para>
These functions used the result rowtype specified in the <literal>FROM
... AS</literal> clause without checking that it matched the actual
rowtype of the supplied tuple value. If it didn't, that would usually
result in a crash, though disclosure of server memory contents seems
possible as well.
(CVE-2017-15098)
</para>
</listitem>
<listitem>
<para>
Fix sample server-start scripts to become <literal>$PGUSER</literal>
before opening <literal>$PGLOG</literal> (Noah Misch)
</para>
<para>
Previously, the postmaster log file was opened while still running as
root. The database owner could therefore mount an attack against
another system user by making <literal>$PGLOG</literal> be a symbolic
link to some other file, which would then become corrupted by appending
log messages.
</para>
<para>
By default, these scripts are not installed anywhere. Users who have
made use of them will need to manually recopy them, or apply the same
changes to their modified versions. If the
existing <literal>$PGLOG</literal> file is root-owned, it will need to
be removed or renamed out of the way before restarting the server with
the corrected script.
(CVE-2017-12172)
</para>
</listitem>
<listitem>
<para>
Fix BRIN index summarization to handle concurrent table extension
@ -459,6 +519,19 @@ Branch: REL9_6_STABLE [407e66078] 2017-09-14 01:17:15 +0200
</para>
</listitem>
<listitem>
<para>
Fix missing temp-install prerequisites
for <literal>check</literal>-like Make targets (Noah Misch)
</para>
<para>
Some non-default test procedures that are meant to work
like <literal>make check</literal> failed to ensure that the temporary
installation was up to date.
</para>
</listitem>
<listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>