|
36 | 36 | <listitem> |
37 | 37 | <!-- |
38 | 38 | Author: Noah Misch <noah@leadboat.com> |
| 39 | +Branch: master [0c3185e96] 2020-11-09 07:32:09 -0800 |
| 40 | +Branch: REL_13_STABLE [c90c84b3f] 2020-11-09 07:32:12 -0800 |
| 41 | +Branch: REL_12_STABLE [ac8f6243c] 2020-11-09 07:32:12 -0800 |
| 42 | +Branch: REL_11_STABLE [43ebfea5a] 2020-11-09 07:32:13 -0800 |
| 43 | +Branch: REL_10_STABLE [f97ecea1e] 2020-11-09 07:32:13 -0800 |
| 44 | +Branch: REL9_6_STABLE [ff3de4c21] 2020-11-09 07:32:13 -0800 |
| 45 | +Branch: REL9_5_STABLE [aefc625de] 2020-11-09 07:32:14 -0800 |
| 46 | +--> |
| 47 | + <para> |
| 48 | + Block <command>DECLARE CURSOR ... WITH HOLD</command> and firing of |
| 49 | + deferred triggers within index expressions and materialized view |
| 50 | + queries (Noah Misch) |
| 51 | + </para> |
| 52 | + |
| 53 | + <para> |
| 54 | + This is essentially a leak in the <quote>security restricted |
| 55 | + operation</quote> sandbox mechanism. An attacker having permission |
| 56 | + to create non-temporary SQL objects could parlay this leak to |
| 57 | + execute arbitrary SQL code as a superuser. |
| 58 | + </para> |
| 59 | + |
| 60 | + <para> |
| 61 | + The <productname>PostgreSQL</productname> Project thanks |
| 62 | + Etienne Stalmans for reporting this problem. |
| 63 | + (CVE-2020-25695) |
| 64 | + </para> |
| 65 | + </listitem> |
| 66 | + |
| 67 | + <listitem> |
| 68 | +<!-- |
| 69 | +Author: Tom Lane <tgl@sss.pgh.pa.us> |
| 70 | +Branch: master [a45bc8a4f] 2020-09-24 18:19:38 -0400 |
| 71 | +Branch: REL_13_STABLE [cb8885ac4] 2020-09-24 18:19:38 -0400 |
| 72 | +Branch: REL_12_STABLE [fb93f784f] 2020-09-24 18:19:38 -0400 |
| 73 | +Branch: REL_11_STABLE [1738a61c8] 2020-09-24 18:19:39 -0400 |
| 74 | +Branch: REL_10_STABLE [1888ff8d0] 2020-09-24 18:19:39 -0400 |
| 75 | +Branch: REL9_6_STABLE [7c154f2fd] 2020-09-24 18:19:39 -0400 |
| 76 | +Branch: REL9_5_STABLE [56b46d3a1] 2020-09-24 18:19:39 -0400 |
| 77 | +Branch: master [8e5793ab6] 2020-10-19 19:03:46 -0400 |
| 78 | +Branch: REL_13_STABLE [1814f915b] 2020-10-19 19:03:46 -0400 |
| 79 | +Branch: REL_12_STABLE [c6d0b9b16] 2020-10-19 19:03:46 -0400 |
| 80 | +Branch: REL_11_STABLE [5a9f99bed] 2020-10-19 19:03:47 -0400 |
| 81 | +Branch: REL_10_STABLE [68f236993] 2020-10-19 19:03:47 -0400 |
| 82 | +Branch: REL9_6_STABLE [5c78f7977] 2020-10-19 19:03:47 -0400 |
| 83 | +Branch: REL9_5_STABLE [da129a04a] 2020-10-19 19:03:47 -0400 |
| 84 | +--> |
| 85 | + <para> |
| 86 | + Fix usage of complex connection-string parameters |
| 87 | + in <application>pg_dump</application>, |
| 88 | + <application>pg_restore</application>, |
| 89 | + <application>clusterdb</application>, |
| 90 | + <application>reindexdb</application>, |
| 91 | + and <application>vacuumdb</application> (Tom Lane) |
| 92 | + </para> |
| 93 | + |
| 94 | + <para> |
| 95 | + The <option>-d</option> parameter |
| 96 | + of <application>pg_dump</application> |
| 97 | + and <application>pg_restore</application>, or |
| 98 | + the <option>--maintenance-db</option> parameter of the other |
| 99 | + programs mentioned, can be a <quote>connection string</quote> |
| 100 | + containing multiple connection parameters rather than just a |
| 101 | + database name. In cases where these programs need to initiate |
| 102 | + additional connections, such as parallel processing or processing of |
| 103 | + multiple databases, the connection string was forgotten and just the |
| 104 | + basic connection parameters (database name, host, port, and |
| 105 | + username) were used for the additional connections. This could lead |
| 106 | + to connection failures if the connection string included any other |
| 107 | + essential information, such as non-default SSL or GSS parameters. |
| 108 | + Worse, the connection might succeed but not be encrypted as |
| 109 | + intended, or be vulnerable to man-in-the-middle attacks that the |
| 110 | + intended connection parameters would have prevented. |
| 111 | + (CVE-2020-25694) |
| 112 | + </para> |
| 113 | + </listitem> |
| 114 | + |
| 115 | + <listitem> |
| 116 | +<!-- |
| 117 | +Author: Tom Lane <tgl@sss.pgh.pa.us> |
| 118 | +Branch: master [85c54287a] 2020-10-21 16:19:00 -0400 |
| 119 | +Branch: REL_13_STABLE [2e4af4110] 2020-10-21 16:19:00 -0400 |
| 120 | +Branch: REL_12_STABLE [f656517ec] 2020-10-21 16:19:01 -0400 |
| 121 | +Branch: REL_11_STABLE [20be76d5c] 2020-10-21 16:19:01 -0400 |
| 122 | +Branch: REL_10_STABLE [8175da6e7] 2020-10-21 16:19:02 -0400 |
| 123 | +Branch: REL9_6_STABLE [870a23230] 2020-10-21 16:18:41 -0400 |
| 124 | +Branch: REL9_5_STABLE [6997da09a] 2020-10-21 16:18:41 -0400 |
| 125 | +--> |
| 126 | + <para> |
| 127 | + When <application>psql</application>'s <command>\connect</command> |
| 128 | + command re-uses connection parameters, ensure that all |
| 129 | + non-overridden parameters from a previous connection string are |
| 130 | + re-used (Tom Lane) |
| 131 | + </para> |
| 132 | + |
| 133 | + <para> |
| 134 | + This avoids cases where reconnection might fail due to omission of |
| 135 | + relevant parameters, such as non-default SSL or GSS options. |
| 136 | + Worse, the reconnection might succeed but not be encrypted as |
| 137 | + intended, or be vulnerable to man-in-the-middle attacks that the |
| 138 | + intended connection parameters would have prevented. |
| 139 | + This is largely the same problem as just cited |
| 140 | + for <application>pg_dump</application> et al, |
| 141 | + although <application>psql</application>'s behavior is more complex |
| 142 | + since the user may intentionally override some connection |
| 143 | + parameters. |
| 144 | + (CVE-2020-25694) |
| 145 | + </para> |
| 146 | + </listitem> |
| 147 | + |
| 148 | + <listitem> |
| 149 | +<!-- |
| 150 | +Author: Noah Misch <noah@leadboat.com> |
| 151 | +Branch: master [098fb0079] 2020-11-09 07:32:09 -0800 |
| 152 | +Branch: REL_13_STABLE [67029845b] 2020-11-09 07:32:12 -0800 |
| 153 | +Branch: REL_12_STABLE [3855e5b47] 2020-11-09 07:32:13 -0800 |
| 154 | +Branch: REL_11_STABLE [7b356c78f] 2020-11-09 07:32:13 -0800 |
| 155 | +Branch: REL_10_STABLE [a498db87b] 2020-11-09 07:32:13 -0800 |
| 156 | +Branch: REL9_6_STABLE [12fd81cb7] 2020-11-09 07:32:14 -0800 |
| 157 | +Branch: REL9_5_STABLE [a54dfbee1] 2020-11-09 07:32:14 -0800 |
| 158 | +--> |
| 159 | + <para> |
| 160 | + Prevent <application>psql</application>'s <command>\gset</command> |
| 161 | + command from modifying specially-treated variables (Noah Misch) |
| 162 | + </para> |
| 163 | + |
| 164 | + <para> |
| 165 | + <command>\gset</command> without a prefix would overwrite whatever |
| 166 | + variables the server told it to. Thus, a compromised server could |
| 167 | + set specially-treated variables such as <varname>PROMPT1</varname>, |
| 168 | + giving the ability to execute arbitrary shell code in the user's |
| 169 | + session. |
| 170 | + </para> |
| 171 | + |
| 172 | + <para> |
| 173 | + The <productname>PostgreSQL</productname> Project thanks |
| 174 | + Nick Cleaton for reporting this problem. |
| 175 | + (CVE-2020-25696) |
| 176 | + </para> |
| 177 | + </listitem> |
| 178 | + |
| 179 | + <listitem> |
| 180 | +<!-- |
| 181 | +Author: Noah Misch <noah@leadboat.com> |
39 | 182 | Branch: master [566372b3d] 2020-08-15 10:15:53 -0700 |
40 | 183 | Branch: REL_13_STABLE Release: REL_13_0 [592a589a0] 2020-08-15 10:15:56 -0700 |
41 | 184 | Branch: REL_12_STABLE [30e68a2ab] 2020-08-15 10:15:56 -0700 |
@@ -603,79 +746,6 @@ Branch: REL9_5_STABLE [aff06436c] 2020-10-28 14:35:53 -0400 |
603 | 746 |
|
604 | 747 | <listitem> |
605 | 748 | <!-- |
606 | | -Author: Tom Lane <tgl@sss.pgh.pa.us> |
607 | | -Branch: master [a45bc8a4f] 2020-09-24 18:19:38 -0400 |
608 | | -Branch: REL_13_STABLE [cb8885ac4] 2020-09-24 18:19:38 -0400 |
609 | | -Branch: REL_12_STABLE [fb93f784f] 2020-09-24 18:19:38 -0400 |
610 | | -Branch: REL_11_STABLE [1738a61c8] 2020-09-24 18:19:39 -0400 |
611 | | -Branch: REL_10_STABLE [1888ff8d0] 2020-09-24 18:19:39 -0400 |
612 | | -Branch: REL9_6_STABLE [7c154f2fd] 2020-09-24 18:19:39 -0400 |
613 | | -Branch: REL9_5_STABLE [56b46d3a1] 2020-09-24 18:19:39 -0400 |
614 | | -Branch: master [8e5793ab6] 2020-10-19 19:03:46 -0400 |
615 | | -Branch: REL_13_STABLE [1814f915b] 2020-10-19 19:03:46 -0400 |
616 | | -Branch: REL_12_STABLE [c6d0b9b16] 2020-10-19 19:03:46 -0400 |
617 | | -Branch: REL_11_STABLE [5a9f99bed] 2020-10-19 19:03:47 -0400 |
618 | | -Branch: REL_10_STABLE [68f236993] 2020-10-19 19:03:47 -0400 |
619 | | -Branch: REL9_6_STABLE [5c78f7977] 2020-10-19 19:03:47 -0400 |
620 | | -Branch: REL9_5_STABLE [da129a04a] 2020-10-19 19:03:47 -0400 |
621 | | ---> |
622 | | - <para> |
623 | | - Fix usage of complex connection-string parameters |
624 | | - in <application>pg_dump</application>, |
625 | | - <application>pg_restore</application>, |
626 | | - <application>clusterdb</application>, |
627 | | - <application>reindexdb</application>, |
628 | | - and <application>vacuumdb</application> (Tom Lane) |
629 | | - </para> |
630 | | - |
631 | | - <para> |
632 | | - The <option>-d</option> parameter |
633 | | - of <application>pg_dump</application> |
634 | | - and <application>pg_restore</application>, or |
635 | | - the <option>--maintenance-db</option> parameter of the other |
636 | | - programs mentioned, can be a <quote>connection string</quote> |
637 | | - containing multiple connection parameters rather than just a |
638 | | - database name. In cases where these programs need to initiate |
639 | | - additional connections, such as parallel processing or processing of |
640 | | - multiple databases, the connection string was forgotten and just the |
641 | | - basic connection parameters (database name, host, port, and |
642 | | - username) were used for the additional connections. This could lead |
643 | | - to connection failures if the connection string included any other |
644 | | - essential information, such as non-default SSL or GSS parameters. |
645 | | - </para> |
646 | | - </listitem> |
647 | | - |
648 | | - <listitem> |
649 | | -<!-- |
650 | | -Author: Tom Lane <tgl@sss.pgh.pa.us> |
651 | | -Branch: master [85c54287a] 2020-10-21 16:19:00 -0400 |
652 | | -Branch: REL_13_STABLE [2e4af4110] 2020-10-21 16:19:00 -0400 |
653 | | -Branch: REL_12_STABLE [f656517ec] 2020-10-21 16:19:01 -0400 |
654 | | -Branch: REL_11_STABLE [20be76d5c] 2020-10-21 16:19:01 -0400 |
655 | | -Branch: REL_10_STABLE [8175da6e7] 2020-10-21 16:19:02 -0400 |
656 | | -Branch: REL9_6_STABLE [870a23230] 2020-10-21 16:18:41 -0400 |
657 | | -Branch: REL9_5_STABLE [6997da09a] 2020-10-21 16:18:41 -0400 |
658 | | ---> |
659 | | - <para> |
660 | | - When <application>psql</application>'s <command>\connect</command> |
661 | | - command re-uses connection parameters, ensure that all |
662 | | - non-overridden parameters from a previous connection string are |
663 | | - re-used (Tom Lane) |
664 | | - </para> |
665 | | - |
666 | | - <para> |
667 | | - This avoids cases where reconnection might fail due to omission of |
668 | | - relevant parameters, such as non-default SSL or GSS options. This |
669 | | - is largely the same problem as just cited |
670 | | - for <application>pg_dump</application> et al, |
671 | | - although <application>psql</application>'s behavior is more complex |
672 | | - since the user may intentionally override some connection |
673 | | - parameters. |
674 | | - </para> |
675 | | - </listitem> |
676 | | - |
677 | | - <listitem> |
678 | | -<!-- |
679 | 749 | Author: Andrew Dunstan <andrew@dunslane.net> |
680 | 750 | Branch: master [3eb3d3e78] 2020-09-04 13:54:54 -0400 |
681 | 751 | Branch: REL_13_STABLE Release: REL_13_0 [72857482c] 2020-09-04 13:55:11 -0400 |
|
0 commit comments