mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Last-minute updates for release notes.

Browse Source 
Security: CVE-2021-3393, CVE-2021-20229
This commit is contained in:
Tom Lane 2021-02-08 11:10:40 -05:00
parent d525fbcfd1
commit cd82d75a98
1 changed files with 65 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
doc/src/sgml/release-13.sgml
View File

@ -23,9 +23,10 @@
</para> </para>
<para> <para>
However, see the first two changelog items below, However, see the first changelog item below concerning a possible
which describe cases in which reindexing indexes after the upgrade need to update stored views. Also see the third and fourth changelog
may be advisable. items, which describe cases in which reindexing indexes after the
upgrade may be advisable.
</para> </para>
</sect2> </sect2>
@ -36,6 +37,67 @@
<listitem> <listitem>
<!-- <!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [c028faf2a] 2021-02-08 10:14:09 -0500
Branch: REL_13_STABLE [d525fbcfd] 2021-02-08 10:14:09 -0500
-->
<para>
Fix failure to check per-column <literal>SELECT</literal> privileges
in some join queries (Tom Lane)
</para>
<para>
In some cases involving joins, the parser failed to record all the
columns read by a query in the column-usage bitmaps that are used
for permissions checking. Although the executor would still insist
on some sort of <literal>SELECT</literal> privilege to run the
query, this meant that a user having <literal>SELECT</literal>
privilege on only one column of a table could nonetheless read all
its columns through a suitably crafted query.
</para>
<para>
A stored view that is subject to this problem will have incomplete
column-usage bitmaps, and thus permissions will still not be
enforced properly on the view after updating. In installations that
depend on column-level permissions for security, it is recommended
to <command>CREATE OR REPLACE</command> all user-defined views to
cause them to be re-parsed.
</para>
<para>
The <productname>PostgreSQL</productname> Project thanks
Sven Klemm for reporting this problem.
(CVE-2021-20229)
</para>
</listitem>
<listitem>
<!--
Author: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Branch: master [6214e2b22] 2021-02-08 11:01:51 +0200
Branch: REL_13_STABLE [8e56684d5] 2021-02-08 11:01:55 +0200
Branch: REL_12_STABLE [f50e88899] 2021-02-08 11:01:55 +0200
Branch: REL_11_STABLE [cb5868cc1] 2021-02-08 11:01:55 +0200
-->
<para>
Fix information leakage in constraint-violation error messages
(Heikki Linnakangas)
</para>
<para>
If an <command>UPDATE</command> command attempts to move a row to a
different partition but finds that it violates some constraint on
the new partition, and the columns in that partition are in
different physical positions than in the parent table, the error
message could reveal the contents of columns that the user does not
have <literal>SELECT</literal> privilege on.
(CVE-2021-3393)
</para>
</listitem>
<listitem>
<!--
Author: Heikki Linnakangas <heikki.linnakangas@iki.fi> Author: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Branch: master [6b4d3046f] 2021-01-20 11:58:03 +0200 Branch: master [6b4d3046f] 2021-01-20 11:58:03 +0200
Branch: REL_13_STABLE [b8403d140] 2021-01-20 11:58:25 +0200 Branch: REL_13_STABLE [b8403d140] 2021-01-20 11:58:25 +0200