Skip to content

Commit 44909f4

Browse files
tglsfdctglsfdc
committed
Last-minute release note updates.
Security: CVE-2012-0866, CVE-2012-0867, CVE-2012-0868
1 parent d975e16 commit 44909f4

File tree

2 files changed

+80
-0
lines changed

2 files changed

+80
-0
lines changed

doc/src/sgml/release-8.3.sgml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,36 @@
3434

3535
<itemizedlist>
3636

37+
<listitem>
38+
<para>
39+
Require execute permission on the trigger function for
40+
<command>CREATE TRIGGER</> (Robert Haas)
41+
</para>
42+
43+
<para>
44+
This missing check could allow another user to execute a trigger
45+
function with forged input data, by installing it on a table he owns.
46+
This is only of significance for trigger functions marked
47+
<literal>SECURITY DEFINER</>, since otherwise trigger functions run
48+
as the table owner anyway. (CVE-2012-0866)
49+
</para>
50+
</listitem>
51+
52+
<listitem>
53+
<para>
54+
Convert newlines to spaces in names written in <application>pg_dump</>
55+
comments (Robert Haas)
56+
</para>
57+
58+
<para>
59+
<application>pg_dump</> was incautious about sanitizing object names
60+
that are emitted within SQL comments in its output script. A name
61+
containing a newline would at least render the script syntactically
62+
incorrect. Maliciously crafted object names could present a SQL
63+
injection risk when the script is reloaded. (CVE-2012-0868)
64+
</para>
65+
</listitem>
66+
3767
<listitem>
3868
<para>
3969
Fix btree index corruption from insertions concurrent with vacuuming

doc/src/sgml/release-8.4.sgml

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,56 @@
3434

3535
<itemizedlist>
3636

37+
<listitem>
38+
<para>
39+
Require execute permission on the trigger function for
40+
<command>CREATE TRIGGER</> (Robert Haas)
41+
</para>
42+
43+
<para>
44+
This missing check could allow another user to execute a trigger
45+
function with forged input data, by installing it on a table he owns.
46+
This is only of significance for trigger functions marked
47+
<literal>SECURITY DEFINER</>, since otherwise trigger functions run
48+
as the table owner anyway. (CVE-2012-0866)
49+
</para>
50+
</listitem>
51+
52+
<listitem>
53+
<para>
54+
Remove arbitrary limitation on length of common name in SSL
55+
certificates (Heikki Linnakangas)
56+
</para>
57+
58+
<para>
59+
Both <application>libpq</> and the server truncated the common name
60+
extracted from an SSL certificate at 32 bytes. Normally this would
61+
cause nothing worse than an unexpected verification failure, but there
62+
are some rather-implausible scenarios in which it might allow one
63+
certificate holder to impersonate another. The victim would have to
64+
have a common name exactly 32 bytes long, and the attacker would have
65+
to persuade a trusted CA to issue a certificate in which the common
66+
name has that string as a prefix. Impersonating a server would also
67+
require some additional exploit to redirect client connections.
68+
(CVE-2012-0867)
69+
</para>
70+
</listitem>
71+
72+
<listitem>
73+
<para>
74+
Convert newlines to spaces in names written in <application>pg_dump</>
75+
comments (Robert Haas)
76+
</para>
77+
78+
<para>
79+
<application>pg_dump</> was incautious about sanitizing object names
80+
that are emitted within SQL comments in its output script. A name
81+
containing a newline would at least render the script syntactically
82+
incorrect. Maliciously crafted object names could present a SQL
83+
injection risk when the script is reloaded. (CVE-2012-0868)
84+
</para>
85+
</listitem>
86+
3787
<listitem>
3888
<para>
3989
Fix btree index corruption from insertions concurrent with vacuuming

0 commit comments

Comments
 (0)