From: Tom Lane Date: Mon, 8 Aug 2022 15:28:47 +0000 (-0400) Subject: Last-minute updates for release notes. X-Git-Tag: REL_10_22~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd1aef2972ed0b4aafc18c58495cc7e62eebc4c8;p=thirdparty%2Fpostgresql.git Last-minute updates for release notes. Security: CVE-2022-2625 --- diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml index 6e1ae8d0b09..a34f9fde545 100644 --- a/doc/src/sgml/release-10.sgml +++ b/doc/src/sgml/release-10.sgml @@ -41,6 +41,41 @@ + + Do not let extension scripts replace objects not already belonging + to the extension (Tom Lane) + + + + This change prevents extension scripts from doing CREATE + OR REPLACE if there is an existing object that does not + belong to the extension. It also prevents CREATE IF NOT + EXISTS in the same situation. This prevents a form of + trojan-horse attack in which a hostile database user could become + the owner of an extension object and then modify it to compromise + future uses of the object by other users. As a side benefit, it + also reduces the risk of accidentally replacing objects one did + not mean to. + + + + The PostgreSQL Project thanks + Sven Klemm for reporting this problem. + (CVE-2022-2625) + + + + +