Last-minute updates for release notes.

tglsfdc · tglsfdc · commit d69c0710a680 · 2017-11-06T12:02:30.000-05:00
Security: CVE-2017-12172, CVE-2017-15098, CVE-2017-15099
diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml
@@ -40,6 +40,31 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Fix sample server-start scripts to become <literal>$PGUSER</literal>
+      before opening <literal>$PGLOG</literal> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, the postmaster log file was opened while still running as
+      root.  The database owner could therefore mount an attack against
+      another system user by making <literal>$PGLOG</literal> be a symbolic
+      link to some other file, which would then become corrupted by appending
+      log messages.
+     </para>
+
+     <para>
+      By default, these scripts are not installed anywhere.  Users who have
+      made use of them will need to manually recopy them, or apply the same
+      changes to their modified versions.  If the
+      existing <literal>$PGLOG</literal> file is root-owned, it will need to
+      be removed or renamed out of the way before restarting the server with
+      the corrected script.
+      (CVE-2017-12172)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Properly reject attempts to convert infinite float values to
diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml
@@ -34,6 +34,48 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Fix crash due to rowtype mismatch
+      in <function>json{b}_populate_recordset()</function>
+      (Michael Paquier, Tom Lane)
+     </para>
+
+     <para>
+      These functions used the result rowtype specified in the <literal>FROM
+      ... AS</literal> clause without checking that it matched the actual
+      rowtype of the supplied tuple value.  If it didn't, that would usually
+      result in a crash, though disclosure of server memory contents seems
+      possible as well.
+      (CVE-2017-15098)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix sample server-start scripts to become <literal>$PGUSER</literal>
+      before opening <literal>$PGLOG</literal> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, the postmaster log file was opened while still running as
+      root.  The database owner could therefore mount an attack against
+      another system user by making <literal>$PGLOG</literal> be a symbolic
+      link to some other file, which would then become corrupted by appending
+      log messages.
+     </para>
+
+     <para>
+      By default, these scripts are not installed anywhere.  Users who have
+      made use of them will need to manually recopy them, or apply the same
+      changes to their modified versions.  If the
+      existing <literal>$PGLOG</literal> file is root-owned, it will need to
+      be removed or renamed out of the way before restarting the server with
+      the corrected script.
+      (CVE-2017-12172)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Properly reject attempts to convert infinite float values to
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
@@ -33,6 +33,48 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Fix crash due to rowtype mismatch
+      in <function>json{b}_populate_recordset()</function>
+      (Michael Paquier, Tom Lane)
+     </para>
+
+     <para>
+      These functions used the result rowtype specified in the <literal>FROM
+      ... AS</literal> clause without checking that it matched the actual
+      rowtype of the supplied tuple value.  If it didn't, that would usually
+      result in a crash, though disclosure of server memory contents seems
+      possible as well.
+      (CVE-2017-15098)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix sample server-start scripts to become <literal>$PGUSER</literal>
+      before opening <literal>$PGLOG</literal> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, the postmaster log file was opened while still running as
+      root.  The database owner could therefore mount an attack against
+      another system user by making <literal>$PGLOG</literal> be a symbolic
+      link to some other file, which would then become corrupted by appending
+      log messages.
+     </para>
+
+     <para>
+      By default, these scripts are not installed anywhere.  Users who have
+      made use of them will need to manually recopy them, or apply the same
+      changes to their modified versions.  If the
+      existing <literal>$PGLOG</literal> file is root-owned, it will need to
+      be removed or renamed out of the way before restarting the server with
+      the corrected script.
+      (CVE-2017-12172)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix crash when logical decoding is invoked from a SPI-using function,
diff --git a/doc/src/sgml/release-9.5.sgml b/doc/src/sgml/release-9.5.sgml
@@ -23,7 +23,7 @@
    </para>
 
    <para>
-    However, if you use BRIN indexes, see the first changelog entry below.
+    However, if you use BRIN indexes, see the fourth changelog entry below.
    </para>
 
    <para>
@@ -37,6 +37,66 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+      table permissions and RLS policies in all cases (Dean Rasheed)
+     </para>
+
+     <para>
+      The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+      requires <literal>SELECT</literal> permission on the columns of the
+      arbiter index, but it failed to check for that in the case of an
+      arbiter specified by constraint name.
+      In addition, for a table with row level security enabled, it failed to
+      check updated rows against the table's <literal>SELECT</literal>
+      policies (regardless of how the arbiter index was specified).
+      (CVE-2017-15099)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix crash due to rowtype mismatch
+      in <function>json{b}_populate_recordset()</function>
+      (Michael Paquier, Tom Lane)
+     </para>
+
+     <para>
+      These functions used the result rowtype specified in the <literal>FROM
+      ... AS</literal> clause without checking that it matched the actual
+      rowtype of the supplied tuple value.  If it didn't, that would usually
+      result in a crash, though disclosure of server memory contents seems
+      possible as well.
+      (CVE-2017-15098)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix sample server-start scripts to become <literal>$PGUSER</literal>
+      before opening <literal>$PGLOG</literal> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, the postmaster log file was opened while still running as
+      root.  The database owner could therefore mount an attack against
+      another system user by making <literal>$PGLOG</literal> be a symbolic
+      link to some other file, which would then become corrupted by appending
+      log messages.
+     </para>
+
+     <para>
+      By default, these scripts are not installed anywhere.  Users who have
+      made use of them will need to manually recopy them, or apply the same
+      changes to their modified versions.  If the
+      existing <literal>$PGLOG</literal> file is root-owned, it will need to
+      be removed or renamed out of the way before restarting the server with
+      the corrected script.
+      (CVE-2017-12172)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix BRIN index summarization to handle concurrent table extension
@@ -259,6 +319,19 @@
      </para>
     </listitem>
 
+    <listitem>
+     <para>
+      Fix missing temp-install prerequisites
+      for <literal>check</literal>-like Make targets (Noah Misch)
+     </para>
+
+     <para>
+      Some non-default test procedures that are meant to work
+      like <literal>make check</literal> failed to ensure that the temporary
+      installation was up to date.
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Sync our copy of the timezone library with IANA release tzcode2017c
diff --git a/doc/src/sgml/release-9.6.sgml b/doc/src/sgml/release-9.6.sgml
@@ -23,7 +23,7 @@
    </para>
 
    <para>
-    However, if you use BRIN indexes, see the first changelog entry below.
+    However, if you use BRIN indexes, see the fourth changelog entry below.
    </para>
 
    <para>
@@ -37,6 +37,66 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+      table permissions and RLS policies in all cases (Dean Rasheed)
+     </para>
+
+     <para>
+      The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+      requires <literal>SELECT</literal> permission on the columns of the
+      arbiter index, but it failed to check for that in the case of an
+      arbiter specified by constraint name.
+      In addition, for a table with row level security enabled, it failed to
+      check updated rows against the table's <literal>SELECT</literal>
+      policies (regardless of how the arbiter index was specified).
+      (CVE-2017-15099)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix crash due to rowtype mismatch
+      in <function>json{b}_populate_recordset()</function>
+      (Michael Paquier, Tom Lane)
+     </para>
+
+     <para>
+      These functions used the result rowtype specified in the <literal>FROM
+      ... AS</literal> clause without checking that it matched the actual
+      rowtype of the supplied tuple value.  If it didn't, that would usually
+      result in a crash, though disclosure of server memory contents seems
+      possible as well.
+      (CVE-2017-15098)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix sample server-start scripts to become <literal>$PGUSER</literal>
+      before opening <literal>$PGLOG</literal> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, the postmaster log file was opened while still running as
+      root.  The database owner could therefore mount an attack against
+      another system user by making <literal>$PGLOG</literal> be a symbolic
+      link to some other file, which would then become corrupted by appending
+      log messages.
+     </para>
+
+     <para>
+      By default, these scripts are not installed anywhere.  Users who have
+      made use of them will need to manually recopy them, or apply the same
+      changes to their modified versions.  If the
+      existing <literal>$PGLOG</literal> file is root-owned, it will need to
+      be removed or renamed out of the way before restarting the server with
+      the corrected script.
+      (CVE-2017-12172)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix BRIN index summarization to handle concurrent table extension
@@ -459,6 +519,19 @@ Branch: REL9_6_STABLE [407e66078] 2017-09-14 01:17:15 +0200
      </para>
     </listitem>
 
+    <listitem>
+     <para>
+      Fix missing temp-install prerequisites
+      for <literal>check</literal>-like Make targets (Noah Misch)
+     </para>
+
+     <para>
+      Some non-default test procedures that are meant to work
+      like <literal>make check</literal> failed to ensure that the temporary
+      installation was up to date.
+     </para>
+    </listitem>
+
     <listitem>
 <!--
 Author: Tom Lane <tgl@sss.pgh.pa.us>
