8000 Last-minute updates for release notes. · yazun/postgres@0ba3e3e · GitHub
[go: up one dir, main page]
Skip to content

Commit 0ba3e3e

Browse files
tglsfdctglsfdc
committed
Last-minute updates for release notes.
Security: CVE-2018-1052, CVE-2018-1053
1 parent 5bdbc5b commit 0ba3e3e

File tree

4 files changed

+88
-0
lines changed

4 files changed

+88
-0
lines changed

doc/src/sgml/release-9.3.sgml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,28 @@
3333

3434
<itemizedlist>
3535

36+
<listitem>
37+
<para>
38+
Ensure that all temporary files made
39+
by <application>pg_upgrade</application> are non-world-readable
40+
(Tom Lane, Noah Misch)
41+
</para>
42+
43+
<para>
44+
<application>pg_upgrade</application> normally restricts its
45+
temporary files to be readable and writable only by the calling user.
46+
But the temporary file containing <literal>pg_dumpall -g</literal>
47+
output would be group- or world-readable, or even writable, if the
48+
user's <literal>umask</literal> setting allows. In typical usage on
49+
multi-user machines, the <literal>umask</literal> and/or the working
50+
directory's permissions would be tight enough to prevent problems;
51+
but there may be people using <application>pg_upgrade</application>
52+
in scenarios where this oversight would permit disclosure of database
53+
passwords to unfriendly eyes.
54+
(CVE-2018-1053)
55+
</para>
56+
</listitem>
57+
3658
<listitem>
3759
<para>
3860
Fix vacuuming of tuples that were updated while key-share locked

doc/src/sgml/release-9.4.sgml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,28 @@
3333

3434
<itemizedlist>
3535

36+
<listitem>
37+
<para>
38+
Ensure that all temporary files made
39+
by <application>pg_upgrade</application> are non-world-readable
40+
(Tom Lane, Noah Misch)
41+
</para>
42+
43+
<para>
44+
<application>pg_upgrade</application> normally restricts its
45+
temporary files to be readable and writable only by the calling user.
46+
But the temporary file containing <literal>pg_dumpall -g</literal>
47+
output would be group- or world-readable, or even writable, if the
48+
user's <literal>umask</literal> setting allows. In typical usage on
49+
multi-user machines, the <literal>umask</literal> and/or the working
50+
directory's permissions would be tight enough to prevent problems;
51+
but there may be people using <application>pg_upgrade</application>
52+
in scenarios where this oversight would permit disclosure of database
53+
passwords to unfriendly eyes.
54+
(CVE-2018-1053)
55+
</para>
56+
</listitem>
57+
3658
<listitem>
3759
<para>
3860
Fix vacuuming of tuples that were updated while key-share locked

doc/src/sgml/release-9.5.sgml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,28 @@
3333

3434
<itemizedlist>
3535

36+
<listitem>
37+
<para>
38+
Ensure that all temporary files made
39+
by <application>pg_upgrade</application> are non-world-readable
40+
(Tom Lane, Noah Misch)
41+
</para>
42+
43+
<para>
44+
<application>pg_upgrade</application> normally restricts its
45+
temporary files to be readable and writable only by the calling user.
46+
But the temporary file containing <literal>pg_dumpall -g</literal>
47+
output would be group- or world-readable, or even writable, if the
48+
user's <literal>umask</literal> setting allows. In typical usage on
49+
multi-user machines, the <literal>umask</literal> and/or the working
50+
directory's permissions would be tight enough to prevent problems;
51+
but there may be people using <application>pg_upgrade</application>
52+
in scenarios where this oversight would permit disclosure of database
53+
passwords to unfriendly eyes.
54+
(CVE-2018-1053)
55+
</para>
56+
</listitem>
57+
3658
<listitem>
3759
<para>
3860
Fix vacuuming of tuples that were updated while key-share locked

doc/src/sgml/release-9.6.sgml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,28 @@
3939

4040
<itemizedlist>
4141

42+
<listitem>
43+
<para>
44+
Ensure that all temporary files made
45+
by <application>pg_upgrade</application> are non-world-readable
46+
(Tom Lane, Noah Misch)
47+
</para>
48+
49+
<para>
50+
<application>pg_upgrade</application> normally restricts its
51+
temporary files to be readable and writable only by the calling user.
52+
But the temporary file containing <literal>pg_dumpall -g</literal>
53+
output would be group- or world-readable, or even writable, if the
54+
user's <literal>umask</literal> setting allows. In typical usage on
55+
multi-user machines, the <literal>umask</literal> and/or the working
56+
directory's permissions would be tight enough to prevent problems;
57+
but there may be people using <application>pg_upgrade</application>
58+
in scenarios where this oversight would permit disclosure of database
59+
passwords to unfriendly eyes.
60+
(CVE-2018-1053)
61+
</para>
62+
</listitem>
63+
4264
<listitem>
4365
<para>
4466
Fix vacuuming of tuples that were updated while key-share locked

0 commit comments

Comments
 (0)
0