mirror/postgresql
2
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2025-03-07 19:47:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Last-minute release note updates.

Browse Source 
Security: CVE-2012-0866, CVE-2012-0867, CVE-2012-0868
This commit is contained in:
Tom Lane 2012-02-23 17:48:05 -05:00
parent 02f013ee02
commit 09189cb605
3 changed files with 130 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
doc/src/sgml/release-8.3.sgml
View File

@ -34,6 +34,36 @@
<itemizedlist> <itemizedlist>
<listitem>
<para>
Require execute permission on the trigger function for
<command>CREATE TRIGGER</> (Robert Haas)
</para>
<para>
This missing check could allow another user to execute a trigger
function with forged input data, by installing it on a table he owns.
This is only of significance for trigger functions marked
<literal>SECURITY DEFINER</>, since otherwise trigger functions run
as the table owner anyway. (CVE-2012-0866)
</para>
</listitem>
<listitem>
<para>
Convert newlines to spaces in names written in <application>pg_dump</>
comments (Robert Haas)
</para>
<para>
<application>pg_dump</> was incautious about sanitizing object names
that are emitted within SQL comments in its output script. A name
containing a newline would at least render the script syntactically
incorrect. Maliciously crafted object names could present a SQL
injection risk when the script is reloaded. (CVE-2012-0868)
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Fix btree index corruption from insertions concurrent with vacuuming Fix btree index corruption from insertions concurrent with vacuuming

50
doc/src/sgml/release-8.4.sgml
View File

@ -34,6 +34,56 @@
<itemizedlist> <itemizedlist>
<listitem>
<para>
Require execute permission on the trigger function for
<command>CREATE TRIGGER</> (Robert Haas)
</para>
<para>
This missing check could allow another user to execute a trigger
function with forged input data, by installing it on a table he owns.
This is only of significance for trigger functions marked
<literal>SECURITY DEFINER</>, since otherwise trigger functions run
as the table owner anyway. (CVE-2012-0866)
</para>
</listitem>
<listitem>
<para>
Remove arbitrary limitation on length of common name in SSL
certificates (Heikki Linnakangas)
</para>
<para>
Both <application>libpq</> and the server truncated the common name
extracted from an SSL certificate at 32 bytes. Normally this would
cause nothing worse than an unexpected verification failure, but there
are some rather-implausible scenarios in which it might allow one
certificate holder to impersonate another. The victim would have to
have a common name exactly 32 bytes long, and the attacker would have
to persuade a trusted CA to issue a certificate in which the common
name has that string as a prefix. Impersonating a server would also
require some additional exploit to redirect client connections.
(CVE-2012-0867)
</para>
</listitem>
<listitem>
<para>
Convert newlines to spaces in names written in <application>pg_dump</>
comments (Robert Haas)
</para>
<para>
<application>pg_dump</> was incautious about sanitizing object names
that are emitted within SQL comments in its output script. A name
containing a newline would at least render the script syntactically
incorrect. Maliciously crafted object names could present a SQL
injection risk when the script is reloaded. (CVE-2012-0868)
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Fix btree index corruption from insertions concurrent with vacuuming Fix btree index corruption from insertions concurrent with vacuuming

50
doc/src/sgml/release-9.0.sgml
View File

@ -34,6 +34,56 @@
<itemizedlist> <itemizedlist>
<listitem>
<para>
Require execute permission on the trigger function for
<command>CREATE TRIGGER</> (Robert Haas)
</para>
<para>
This missing check could allow another user to execute a trigger
function with forged input data, by installing it on a table he owns.
This is only of significance for trigger functions marked
<literal>SECURITY DEFINER</>, since otherwise trigger functions run
as the table owner anyway. (CVE-2012-0866)
</para>
</listitem>
<listitem>
<para>
Remove arbitrary limitation on length of common name in SSL
certificates (Heikki Linnakangas)
</para>
<para>
Both <application>libpq</> and the server truncated the common name
extracted from an SSL certificate at 32 bytes. Normally this would
cause nothing worse than an unexpected verification failure, but there
are some rather-implausible scenarios in which it might allow one
certificate holder to impersonate another. The victim would have to
have a common name exactly 32 bytes long, and the attacker would have
to persuade a trusted CA to issue a certificate in which the common
name has that string as a prefix. Impersonating a server would also
require some additional exploit to redirect client connections.
(CVE-2012-0867)
</para>
</listitem>
<listitem>
<para>
Convert newlines to spaces in names written in <application>pg_dump</>
comments (Robert Haas)
</para>
<para>
<application>pg_dump</> was incautious about sanitizing object names
that are emitted within SQL comments in its output script. A name
containing a newline would at least render the script syntactically
incorrect. Maliciously crafted object names could present a SQL
injection risk when the script is reloaded. (CVE-2012-0868)
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Fix btree index corruption from insertions concurrent with vacuuming Fix btree index corruption from insertions concurrent with vacuuming