From 1b85e65846aa16ede7aeddd67a9bd16ec73a18ae Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 5 Aug 2024 14:03:20 -0400 Subject: [PATCH] Last-minute updates for release notes. Security: CVE-2024-7348 --- doc/src/sgml/release-12.sgml | 39 ++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/doc/src/sgml/release-12.sgml b/doc/src/sgml/release-12.sgml index e5b7206d448..e59b91378da 100644 --- a/doc/src/sgml/release-12.sgml +++ b/doc/src/sgml/release-12.sgml @@ -41,6 +41,45 @@ + + Prevent unauthorized code execution + during pg_dump (Masahiko Sawada) + + + + An attacker able to create and drop non-temporary objects could + inject SQL code that would be executed by a + concurrent pg_dump session with the + privileges of the role running pg_dump + (which is often a superuser). The attack involves replacing a + sequence or similar object with a view or foreign table that will + execute malicious code. To prevent this, introduce a new server + parameter restrict_nonsystem_relation_kind that + can disable expansion of non-builtin views as well as access to + foreign tables, and teach pg_dump to set + it when available. Note that the attack is prevented only if + both pg_dump and the server it is dumping + from are new enough to have this fix. + + + + The PostgreSQL Project thanks + Noah Misch for reporting this problem. + (CVE-2024-7348) + + + + +