Last-minute updates for release notes.

Security: CVE-2021-3393, CVE-2021-20229
2021-02-08 11:10:40 -05:00 · 2021-02-08 11:10:40 -05:00 · cd82d75a98
commit cd82d75a98
parent d525fbcfd1
1 changed files with 65 additions and 3 deletions
--- a/doc/src/sgml/release-13.sgml
+++ b/doc/src/sgml/release-13.sgml
@ -23,9 +23,10 @@
   </para>

   <para>
-    However, see the first two changelog items below,
-    which describe cases in which reindexing indexes after the upgrade
-    may be advisable.
+    However, see the first changelog item below concerning a possible
+    need to update stored views.  Also see the third and fourth changelog
+    items, which describe cases in which reindexing indexes after the
+    upgrade may be advisable.
   </para>
  </sect2>

@ -36,6 +37,67 @@

    <listitem>
 <!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [c028faf2a] 2021-02-08 10:14:09 -0500
+Branch: REL_13_STABLE [d525fbcfd] 2021-02-08 10:14:09 -0500
+-->
+     <para>
+      Fix failure to check per-column <literal>SELECT</literal> privileges
+      in some join queries (Tom Lane)
+     </para>
+
+     <para>
+      In some cases involving joins, the parser failed to record all the
+      columns read by a query in the column-usage bitmaps that are used
+      for permissions checking.  Although the executor would still insist
+      on some sort of <literal>SELECT</literal> privilege to run the
+      query, this meant that a user having <literal>SELECT</literal>
+      privilege on only one column of a table could nonetheless read all
+      its columns through a suitably crafted query.
+     </para>
+
+     <para>
+      A stored view that is subject to this problem will have incomplete
+      column-usage bitmaps, and thus permissions will still not be
+      enforced properly on the view after updating.  In installations that
+      depend on column-level permissions for security, it is recommended
+      to <command>CREATE OR REPLACE</command> all user-defined views to
+      cause them to be re-parsed.
+     </para>
+
+     <para>
+      The <productname>PostgreSQL</productname> Project thanks
+      Sven Klemm for reporting this problem.
+      (CVE-2021-20229)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Heikki Linnakangas <heikki.linnakangas@iki.fi>
+Branch: master [6214e2b22] 2021-02-08 11:01:51 +0200
+Branch: REL_13_STABLE [8e56684d5] 2021-02-08 11:01:55 +0200
+Branch: REL_12_STABLE [f50e88899] 2021-02-08 11:01:55 +0200
+Branch: REL_11_STABLE [cb5868cc1] 2021-02-08 11:01:55 +0200
+-->
+     <para>
+      Fix information leakage in constraint-violation error messages
+      (Heikki Linnakangas)
+     </para>
+
+     <para>
+      If an <command>UPDATE</command> command attempts to move a row to a
+      different partition but finds that it violates some constraint on
+      the new partition, and the columns in that partition are in
+      different physical positions than in the parent table, the error
+      message could reveal the contents of columns that the user does not
+      have <literal>SELECT</literal> privilege on.
+      (CVE-2021-3393)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
 Author: Heikki Linnakangas <heikki.linnakangas@iki.fi>
 Branch: master [6b4d3046f] 2021-01-20 11:58:03 +0200
 Branch: REL_13_STABLE [b8403d140] 2021-01-20 11:58:25 +0200