From: Tom Lane Date: Mon, 8 Aug 2022 15:28:47 +0000 (-0400) Subject: Last-minute updates for release notes. X-Git-Tag: REL_12_12~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a2398bf8b6413338faeb75cbb40a347be0741972;p=thirdparty%2Fpostgresql.git Last-minute updates for release notes. Security: CVE-2022-2625 --- diff --git a/doc/src/sgml/release-12.sgml b/doc/src/sgml/release-12.sgml index 085acd97116..d95a2259902 100644 --- a/doc/src/sgml/release-12.sgml +++ b/doc/src/sgml/release-12.sgml @@ -35,6 +35,41 @@ + + Do not let extension scripts replace objects not already belonging + to the extension (Tom Lane) + + + + This change prevents extension scripts from doing CREATE + OR REPLACE if there is an existing object that does not + belong to the extension. It also prevents CREATE IF NOT + EXISTS in the same situation. This prevents a form of + trojan-horse attack in which a hostile database user could become + the owner of an extension object and then modify it to compromise + future uses of the object by other users. As a side benefit, it + also reduces the risk of accidentally replacing objects one did + not mean to. + + + + The PostgreSQL Project thanks + Sven Klemm for reporting this problem. + (CVE-2022-2625) + + + + +