From: Tom Lane Date: Mon, 8 Aug 2022 15:28:47 +0000 (-0400) Subject: Last-minute updates for release notes. X-Git-Tag: REL_11_17~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=197671018875d278db7075f604eca02b42a33c3e;p=thirdparty%2Fpostgresql.git Last-minute updates for release notes. Security: CVE-2022-2625 --- diff --git a/doc/src/sgml/release-11.sgml b/doc/src/sgml/release-11.sgml index 3bddd9d6848..9445e5e3c7f 100644 --- a/doc/src/sgml/release-11.sgml +++ b/doc/src/sgml/release-11.sgml @@ -35,6 +35,41 @@ + + Do not let extension scripts replace objects not already belonging + to the extension (Tom Lane) + + + + This change prevents extension scripts from doing CREATE + OR REPLACE if there is an existing object that does not + belong to the extension. It also prevents CREATE IF NOT + EXISTS in the same situation. This prevents a form of + trojan-horse attack in which a hostile database user could become + the owner of an extension object and then modify it to compromise + future uses of the object by other users. As a side benefit, it + also reduces the risk of accidentally replacing objects one did + not mean to. + + + + The PostgreSQL Project thanks + Sven Klemm for reporting this problem. + (CVE-2022-2625) + + + + +