1 files changed, 69 insertions, 1 deletions

diff --git a/doc/src/sgml/release-13.sgml b/doc/src/sgml/release-13.sgml
index ffb1535fc86..e809633ffb9 100644
--- a/doc/src/sgml/release-13.sgml
+++ b/doc/src/sgml/release-13.sgml
@@ -25,7 +25,7 @@
    <para>
     However, note that installations using physical replication should
     update standby servers before the primary server, as explained in
-    the first changelog entry below.
+    the third changelog entry below.
    </para>
 
    <para>
@@ -48,6 +48,74 @@
 
     <listitem>
 <!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [28e241255] 2021-11-08 11:01:43 -0500
+Branch: REL_14_STABLE [9d5a76b8d] 2021-11-08 11:01:43 -0500
+Branch: REL_13_STABLE [e92ed93e8] 2021-11-08 11:01:43 -0500
+Branch: REL_12_STABLE [d1bd26740] 2021-11-08 11:01:43 -0500
+Branch: REL_11_STABLE [9394fb828] 2021-11-08 11:01:43 -0500
+Branch: REL_10_STABLE [9ae0f1112] 2021-11-08 11:01:43 -0500
+Branch: REL9_6_STABLE [046c2c846] 2021-11-08 11:01:43 -0500
+-->
+     <para>
+      Make the server reject extraneous data after an SSL or GSS
+      encryption handshake (Tom Lane)
+     </para>
+
+     <para>
+      A man-in-the-middle with the ability to inject data into the TCP
+      connection could stuff some cleartext data into the start of a
+      supposedly encryption-protected database session.
+      This could be abused to send faked SQL commands to the server,
+      although that would only work if the server did not demand any
+      authentication data.  (However, a server relying on SSL certificate
+      authentication might well not do so.)
+     </para>
+
+     <para>
+      The <productname>PostgreSQL</productname> Project thanks
+      Jacob Champion for reporting this problem.
+      (CVE-2021-23214)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [160c02588] 2021-11-08 11:14:56 -0500
+Branch: REL_14_STABLE [30547d791] 2021-11-08 11:14:56 -0500
+Branch: REL_13_STABLE [844b31692] 2021-11-08 11:14:56 -0500
+Branch: REL_12_STABLE [36bb95ef2] 2021-11-08 11:14:56 -0500
+Branch: REL_11_STABLE [a021a1d2a] 2021-11-08 11:14:56 -0500
+Branch: REL_10_STABLE [e65d9c8cd] 2021-11-08 11:14:56 -0500
+Branch: REL9_6_STABLE [d83cdfdca] 2021-11-08 11:14:57 -0500
+-->
+     <para>
+      Make <application>libpq</application> reject extraneous data after
+      an SSL or GSS encryption handshake (Tom Lane)
+     </para>
+
+     <para>
+      A man-in-the-middle with the ability to inject data into the TCP
+      connection could stuff some cleartext data into the start of a
+      supposedly encryption-protected database session.
+      This could probably be abused to inject faked responses to the
+      client's first few queries, although other details of libpq's
+      behavior make that harder than it sounds.  A different line of
+      attack is to exfiltrate the client's password, or other sensitive
+      data that might be sent early in the session.  That has been shown
+      to be possible with a server vulnerable to CVE-2021-23214.
+     </para>
+
+     <para>
+      The <productname>PostgreSQL</productname> Project thanks
+      Jacob Champion for reporting this problem.
+      (CVE-2021-23222)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
 Author: Alvaro Herrera <alvherre@alvh.no-ip.org>
 Branch: master [ff9f111bc] 2021-09-29 11:21:51 -0300
 Branch: REL_14_STABLE [64a8687a6] 2021-09-29 11:41:01 -0300