From: Tom Lane Date: Mon, 5 Feb 2018 19:43:41 +0000 (-0500) Subject: Last-minute updates for release notes. X-Git-Tag: REL9_3_21~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=01b2db1cd6673a94cc5249aa25b34e7d98535c11;p=thirdparty%2Fpostgresql.git Last-minute updates for release notes. Security: CVE-2018-1052, CVE-2018-1053 --- diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml index 8be44e33f61..6d339db8d33 100644 --- a/doc/src/sgml/release-9.3.sgml +++ b/doc/src/sgml/release-9.3.sgml @@ -33,6 +33,28 @@ + + + Ensure that all temporary files made + by pg_upgrade are non-world-readable + (Tom Lane, Noah Misch) + + + + pg_upgrade normally restricts its + temporary files to be readable and writable only by the calling user. + But the temporary file containing pg_dumpall -g + output would be group- or world-readable, or even writable, if the + user's umask setting allows. In typical usage on + multi-user machines, the umask and/or the working + directory's permissions would be tight enough to prevent problems; + but there may be people using pg_upgrade + in scenarios where this oversight would permit disclosure of database + passwords to unfriendly eyes. + (CVE-2018-1053) + + + Fix vacuuming of tuples that were updated while key-share locked