Last-minute updates for release notes.

Add entries for security issues.

Security: CVE-2015-3165 through CVE-2015-3167

4 files changed, 204 insertions, 0 deletions

diff --git a/doc/src/sgml/release-9.0.sgml b/doc/src/sgml/release-9.0.sgml
index c3fcbf7b6be..a3d9461fa6f 100644
--- a/doc/src/sgml/release-9.0.sgml
+++ b/doc/src/sgml/release-9.0.sgml
@@ -42,6 +42,57 @@
 
     <listitem>
      <para>
+      Avoid possible crash when client disconnects just before the
+      authentication timeout expires (Benkocs Norbert Attila)
+     </para>
+
+     <para>
+      If the timeout interrupt fired partway through the session shutdown
+      sequence, SSL-related state would be freed twice, typically causing a
+      crash and hence denial of service to other sessions.  Experimentation
+      shows that an unauthenticated remote attacker could trigger the bug
+      somewhat consistently, hence treat as security issue.
+      (CVE-2015-3165)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Consistently check for failure of the <function>*printf()</> family of
+      functions (Noah Misch)
+     </para>
+
+     <para>
+      Most calls of these functions did not consider the possibility that
+      the functions could fail with, eg, out-of-memory conditions.  The usual
+      result would just be missing output, but crashes or exposure of
+      unintended information are also possible.  To protect against such
+      risks uniformly, create wrappers around these functions that throw an
+      error on failure.  Also add missing error checks to a few
+      security-relevant calls of other system functions.
+      (CVE-2015-3166)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <filename>contrib/pgcrypto</>, uniformly report decryption failures
+      as <quote>Wrong key or corrupt data</> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, some cases of decryption with an incorrect key could report
+      other error message texts.  It has been shown that such variance in
+      error reports can aid attackers in recovering keys from other systems.
+      While it's unknown whether <filename>pgcrypto</>'s specific behaviors
+      are likewise exploitable, it seems better to avoid the risk by using a
+      one-size-fits-all message.
+      (CVE-2015-3167)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Fix incorrect checking of deferred exclusion constraints after a HOT
       update (Tom Lane)
      </para>
diff --git a/doc/src/sgml/release-9.1.sgml b/doc/src/sgml/release-9.1.sgml
index 7aecb5e09c0..82dde5e038b 100644
--- a/doc/src/sgml/release-9.1.sgml
+++ b/doc/src/sgml/release-9.1.sgml
@@ -42,6 +42,57 @@
 
     <listitem>
      <para>
+      Avoid possible crash when client disconnects just before the
+      authentication timeout expires (Benkocs Norbert Attila)
+     </para>
+
+     <para>
+      If the timeout interrupt fired partway through the session shutdown
+      sequence, SSL-related state would be freed twice, typically causing a
+      crash and hence denial of service to other sessions.  Experimentation
+      shows that an unauthenticated remote attacker could trigger the bug
+      somewhat consistently, hence treat as security issue.
+      (CVE-2015-3165)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Consistently check for failure of the <function>*printf()</> family of
+      functions (Noah Misch)
+     </para>
+
+     <para>
+      Most calls of these functions did not consider the possibility that
+      the functions could fail with, eg, out-of-memory conditions.  The usual
+      result would just be missing output, but crashes or exposure of
+      unintended information are also possible.  To protect against such
+      risks uniformly, create wrappers around these functions that throw an
+      error on failure.  Also add missing error checks to a few
+      security-relevant calls of other system functions.
+      (CVE-2015-3166)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <filename>contrib/pgcrypto</>, uniformly report decryption failures
+      as <quote>Wrong key or corrupt data</> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, some cases of decryption with an incorrect key could report
+      other error message texts.  It has been shown that such variance in
+      error reports can aid attackers in recovering keys from other systems.
+      While it's unknown whether <filename>pgcrypto</>'s specific behaviors
+      are likewise exploitable, it seems better to avoid the risk by using a
+      one-size-fits-all message.
+      (CVE-2015-3167)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Fix incorrect declaration of <filename>contrib/citext</>'s
       <function>regexp_matches()</> functions (Tom Lane)
      </para>
diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml
index 9ebc92d27ed..ff715efaa59 100644
--- a/doc/src/sgml/release-9.2.sgml
+++ b/doc/src/sgml/release-9.2.sgml
@@ -42,6 +42,57 @@
 
     <listitem>
      <para>
+      Avoid possible crash when client disconnects just before the
+      authentication timeout expires (Benkocs Norbert Attila)
+     </para>
+
+     <para>
+      If the timeout interrupt fired partway through the session shutdown
+      sequence, SSL-related state would be freed twice, typically causing a
+      crash and hence denial of service to other sessions.  Experimentation
+      shows that an unauthenticated remote attacker could trigger the bug
+      somewhat consistently, hence treat as security issue.
+      (CVE-2015-3165)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Consistently check for failure of the <function>*printf()</> family of
+      functions (Noah Misch)
+     </para>
+
+     <para>
+      Most calls of these functions did not consider the possibility that
+      the functions could fail with, eg, out-of-memory conditions.  The usual
+      result would just be missing output, but crashes or exposure of
+      unintended information are also possible.  To protect against such
+      risks uniformly, create wrappers around these functions that throw an
+      error on failure.  Also add missing error checks to a few
+      security-relevant calls of other system functions.
+      (CVE-2015-3166)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <filename>contrib/pgcrypto</>, uniformly report decryption failures
+      as <quote>Wrong key or corrupt data</> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, some cases of decryption with an incorrect key could report
+      other error message texts.  It has been shown that such variance in
+      error reports can aid attackers in recovering keys from other systems.
+      While it's unknown whether <filename>pgcrypto</>'s specific behaviors
+      are likewise exploitable, it seems better to avoid the risk by using a
+      one-size-fits-all message.
+      (CVE-2015-3167)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Fix incorrect declaration of <filename>contrib/citext</>'s
       <function>regexp_matches()</> functions (Tom Lane)
      </para>
diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml
index dca9275f7b5..4c0d8535435 100644
--- a/doc/src/sgml/release-9.3.sgml
+++ b/doc/src/sgml/release-9.3.sgml
@@ -42,6 +42,57 @@
 
     <listitem>
      <para>
+      Avoid possible crash when client disconnects just before the
+      authentication timeout expires (Benkocs Norbert Attila)
+     </para>
+
+     <para>
+      If the timeout interrupt fired partway through the session shutdown
+      sequence, SSL-related state would be freed twice, typically causing a
+      crash and hence denial of service to other sessions.  Experimentation
+      shows that an unauthenticated remote attacker could trigger the bug
+      somewhat consistently, hence treat as security issue.
+      (CVE-2015-3165)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Consistently check for failure of the <function>*printf()</> family of
+      functions (Noah Misch)
+     </para>
+
+     <para>
+      Most calls of these functions did not consider the possibility that
+      the functions could fail with, eg, out-of-memory conditions.  The usual
+      result would just be missing output, but crashes or exposure of
+      unintended information are also possible.  To protect against such
+      risks uniformly, create wrappers around these functions that throw an
+      error on failure.  Also add missing error checks to a few
+      security-relevant calls of other system functions.
+      (CVE-2015-3166)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <filename>contrib/pgcrypto</>, uniformly report decryption failures
+      as <quote>Wrong key or corrupt data</> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, some cases of decryption with an incorrect key could report
+      other error message texts.  It has been shown that such variance in
+      error reports can aid attackers in recovering keys from other systems.
+      While it's unknown whether <filename>pgcrypto</>'s specific behaviors
+      are likewise exploitable, it seems better to avoid the risk by using a
+      one-size-fits-all message.
+      (CVE-2015-3167)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Protect against wraparound of multixact member IDs
       (&Aacute;lvaro Herrera, Robert Haas, Thomas Munro)
      </para>