diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2021-02-08 11:10:40 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2021-02-08 11:10:40 -0500 |
| commit | cd82d75a9861c871b95683afdb12df6374fa8435 (patch) | |
| tree | 6fafe8edcb8eee29fda8ffe38cb599c670a48d1b | |
| parent | d525fbcfd167b28818301d0a2d3548ae6a744588 (diff) | |
Last-minute updates for release notes.
Security: CVE-2021-3393, CVE-2021-20229
| -rw-r--r-- | doc/src/sgml/release-13.sgml | 68 |
1 files changed, 65 insertions, 3 deletions
diff --git a/doc/src/sgml/release-13.sgml b/doc/src/sgml/release-13.sgml index 06a9f1a2de3..7d119abba69 100644 --- a/doc/src/sgml/release-13.sgml +++ b/doc/src/sgml/release-13.sgml @@ -23,9 +23,10 @@ </para> <para> - However, see the first two changelog items below, - which describe cases in which reindexing indexes after the upgrade - may be advisable. + However, see the first changelog item below concerning a possible + need to update stored views. Also see the third and fourth changelog + items, which describe cases in which reindexing indexes after the + upgrade may be advisable. </para> </sect2> @@ -36,6 +37,67 @@ <listitem> <!-- +Author: Tom Lane <tgl@sss.pgh.pa.us> +Branch: master [c028faf2a] 2021-02-08 10:14:09 -0500 +Branch: REL_13_STABLE [d525fbcfd] 2021-02-08 10:14:09 -0500 +--> + <para> + Fix failure to check per-column <literal>SELECT</literal> privileges + in some join queries (Tom Lane) + </para> + + <para> + In some cases involving joins, the parser failed to record all the + columns read by a query in the column-usage bitmaps that are used + for permissions checking. Although the executor would still insist + on some sort of <literal>SELECT</literal> privilege to run the + query, this meant that a user having <literal>SELECT</literal> + privilege on only one column of a table could nonetheless read all + its columns through a suitably crafted query. + </para> + + <para> + A stored view that is subject to this problem will have incomplete + column-usage bitmaps, and thus permissions will still not be + enforced properly on the view after updating. In installations that + depend on column-level permissions for security, it is recommended + to <command>CREATE OR REPLACE</command> all user-defined views to + cause them to be re-parsed. + </para> + + <para> + The <productname>PostgreSQL</productname> Project thanks + Sven Klemm for reporting this problem. + (CVE-2021-20229) + </para> + </listitem> + + <listitem> +<!-- +Author: Heikki Linnakangas <heikki.linnakangas@iki.fi> +Branch: master [6214e2b22] 2021-02-08 11:01:51 +0200 +Branch: REL_13_STABLE [8e56684d5] 2021-02-08 11:01:55 +0200 +Branch: REL_12_STABLE [f50e88899] 2021-02-08 11:01:55 +0200 +Branch: REL_11_STABLE [cb5868cc1] 2021-02-08 11:01:55 +0200 +--> + <para> + Fix information leakage in constraint-violation error messages + (Heikki Linnakangas) + </para> + + <para> + If an <command>UPDATE</command> command attempts to move a row to a + different partition but finds that it violates some constraint on + the new partition, and the columns in that partition are in + different physical positions than in the parent table, the error + message could reveal the contents of columns that the user does not + have <literal>SELECT</literal> privilege on. + (CVE-2021-3393) + </para> + </listitem> + + <listitem> +<!-- Author: Heikki Linnakangas <heikki.linnakangas@iki.fi> Branch: master [6b4d3046f] 2021-01-20 11:58:03 +0200 Branch: REL_13_STABLE [b8403d140] 2021-01-20 11:58:25 +0200 |