Commit b56d5f23 authored by Tom Lane's avatar Tom Lane

Last-minute updates for release notes.

Security: CVE-2018-1115
parent a43a4509
...@@ -23,9 +23,14 @@ ...@@ -23,9 +23,14 @@
</para> </para>
<para> <para>
However, if the function marking mistakes mentioned in the first two However, if you use the <filename>adminpack</filename> extension,
changelog entries below affect you, you will want to take steps to you should update it as per the first changelog entry below.
correct your database catalogs. </para>
<para>
Also, if the function marking mistakes mentioned in the second and
third changelog entries below affect you, you will want to take steps
to correct your database catalogs.
</para> </para>
<para> <para>
...@@ -41,6 +46,39 @@ ...@@ -41,6 +46,39 @@
<listitem> <listitem>
<!-- <!--
Author: Stephen Frost <sfrost@snowman.net>
Branch: master [7b347409f] 2018-05-07 10:10:33 -0400
Branch: REL_10_STABLE [20f01fc45] 2018-05-07 10:10:41 -0400
Branch: REL9_6_STABLE [53b79ab4f] 2018-05-07 10:10:45 -0400
-->
<para>
Remove public execute privilege
from <filename>contrib/adminpack</filename>'s
<function>pg_logfile_rotate()</function> function (Stephen Frost)
</para>
<para>
<function>pg_logfile_rotate()</function> is a deprecated wrapper
for the core function <function>pg_rotate_logfile()</function>.
When that function was changed to rely on SQL privileges for access
control rather than a hard-coded superuser
check, <function>pg_logfile_rotate()</function> should have been
updated as well, but the need for this was missed. Hence,
if <filename>adminpack</filename> is installed, any user could
request a logfile rotation, creating a minor security issue.
</para>
<para>
After installing this update, administrators should
update <filename>adminpack</filename> by performing
<literal>ALTER EXTENSION adminpack UPDATE</literal> in each
database in which <filename>adminpack</filename> is installed.
(CVE-2018-1115)
</para>
</listitem>
<listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us> Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [11002f8af] 2018-03-30 18:14:51 -0400 Branch: master [11002f8af] 2018-03-30 18:14:51 -0400
Branch: REL_10_STABLE [283262cd9] 2018-03-30 18:14:51 -0400 Branch: REL_10_STABLE [283262cd9] 2018-03-30 18:14:51 -0400
......
...@@ -23,9 +23,14 @@ ...@@ -23,9 +23,14 @@
</para> </para>
<para> <para>
However, if the function marking mistakes mentioned in the first two However, if you use the <filename>adminpack</filename> extension,
changelog entries below affect you, you will want to take steps to you should update it as per the first changelog entry below.
correct your database catalogs. </para>
<para>
Also, if the function marking mistakes mentioned in the second and
third changelog entries below affect you, you will want to take steps
to correct your database catalogs.
</para> </para>
<para> <para>
...@@ -39,6 +44,33 @@ ...@@ -39,6 +44,33 @@
<itemizedlist> <itemizedlist>
<listitem>
<para>
Remove public execute privilege
from <filename>contrib/adminpack</filename>'s
<function>pg_logfile_rotate()</function> function (Stephen Frost)
</para>
<para>
<function>pg_logfile_rotate()</function> is a deprecated wrapper
for the core function <function>pg_rotate_logfile()</function>.
When that function was changed to rely on SQL privileges for access
control rather than a hard-coded superuser
check, <function>pg_logfile_rotate()</function> should have been
updated as well, but the need for this was missed. Hence,
if <filename>adminpack</filename> is installed, any user could
request a logfile rotation, creating a minor security issue.
</para>
<para>
After installing this update, administrators should
update <filename>adminpack</filename> by performing
<literal>ALTER EXTENSION adminpack UPDATE</literal> in each
database in which <filename>adminpack</filename> is installed.
(CVE-2018-1115)
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Fix incorrect volatility markings on a few built-in functions Fix incorrect volatility markings on a few built-in functions
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment