|
42 | 42 | <listitem> |
43 | 43 | <!-- |
44 | 44 | Author: Noah Misch <noah@leadboat.com> |
| 45 | +Branch: master [0c3185e96] 2020-11-09 07:32:09 -0800 |
| 46 | +Branch: REL_13_STABLE [c90c84b3f] 2020-11-09 07:32:12 -0800 |
| 47 | +Branch: REL_12_STABLE [ac8f6243c] 2020-11-09 07:32:12 -0800 |
| 48 | +Branch: REL_11_STABLE [43ebfea5a] 2020-11-09 07:32:13 -0800 |
| 49 | +Branch: REL_10_STABLE [f97ecea1e] 2020-11-09 07:32:13 -0800 |
| 50 | +Branch: REL9_6_STABLE [ff3de4c21] 2020-11-09 07:32:13 -0800 |
| 51 | +Branch: REL9_5_STABLE [aefc625de] 2020-11-09 07:32:14 -0800 |
| 52 | +--> |
| 53 | + <para> |
| 54 | + Block <command>DECLARE CURSOR ... WITH HOLD</command> and firing of |
| 55 | + deferred triggers within index expressions and materialized view |
| 56 | + queries (Noah Misch) |
| 57 | + </para> |
| 58 | + |
| 59 | + <para> |
| 60 | + This is essentially a leak in the <quote>security restricted |
| 61 | + operation</quote> sandbox mechanism. An attacker having permission |
| 62 | + to create non-temporary SQL objects could parlay this leak to |
| 63 | + execute arbitrary SQL code as a superuser. |
| 64 | + </para> |
| 65 | + |
| 66 | + <para> |
| 67 | + The <productname>PostgreSQL</productname> Project thanks |
| 68 | + Etienne Stalmans for reporting this problem. |
| 69 | + (CVE-2020-25695) |
| 70 | + </para> |
| 71 | + </listitem> |
| 72 | + |
| 73 | + <listitem> |
| 74 | +<!-- |
| 75 | +Author: Tom Lane <tgl@sss.pgh.pa.us> |
| 76 | +Branch: master [a45bc8a4f] 2020-09-24 18:19:38 -0400 |
| 77 | +Branch: REL_13_STABLE [cb8885ac4] 2020-09-24 18:19:38 -0400 |
| 78 | +Branch: REL_12_STABLE [fb93f784f] 2020-09-24 18:19:38 -0400 |
| 79 | +Branch: REL_11_STABLE [1738a61c8] 2020-09-24 18:19:39 -0400 |
| 80 | +Branch: REL_10_STABLE [1888ff8d0] 2020-09-24 18:19:39 -0400 |
| 81 | +Branch: REL9_6_STABLE [7c154f2fd] 2020-09-24 18:19:39 -0400 |
| 82 | +Branch: REL9_5_STABLE [56b46d3a1] 2020-09-24 18:19:39 -0400 |
| 83 | +Branch: master [8e5793ab6] 2020-10-19 19:03:46 -0400 |
| 84 | +Branch: REL_13_STABLE [1814f915b] 2020-10-19 19:03:46 -0400 |
| 85 | +Branch: REL_12_STABLE [c6d0b9b16] 2020-10-19 19:03:46 -0400 |
| 86 | +Branch: REL_11_STABLE [5a9f99bed] 2020-10-19 19:03:47 -0400 |
| 87 | +Branch: REL_10_STABLE [68f236993] 2020-10-19 19:03:47 -0400 |
| 88 | +Branch: REL9_6_STABLE [5c78f7977] 2020-10-19 19:03:47 -0400 |
| 89 | +Branch: REL9_5_STABLE [da129a04a] 2020-10-19 19:03:47 -0400 |
| 90 | +--> |
| 91 | + <para> |
| 92 | + Fix usage of complex connection-string parameters |
| 93 | + in <application>pg_dump</application>, |
| 94 | + <application>pg_restore</application>, |
| 95 | + <application>clusterdb</application>, |
| 96 | + <application>reindexdb</application>, |
| 97 | + and <application>vacuumdb</application> (Tom Lane) |
| 98 | + </para> |
| 99 | + |
| 100 | + <para> |
| 101 | + The <option>-d</option> parameter |
| 102 | + of <application>pg_dump</application> |
| 103 | + and <application>pg_restore</application>, or |
| 104 | + the <option>--maintenance-db</option> parameter of the other |
| 105 | + programs mentioned, can be a <quote>connection string</quote> |
| 106 | + containing multiple connection parameters rather than just a |
| 107 | + database name. In cases where these programs need to initiate |
| 108 | + additional connections, such as parallel processing or processing of |
| 109 | + multiple databases, the connection string was forgotten and just the |
| 110 | + basic connection parameters (database name, host, port, and |
| 111 | + username) were used for the additional connections. This could lead |
| 112 | + to connection failures if the connection string included any other |
| 113 | + essential information, such as non-default SSL or GSS parameters. |
| 114 | + Worse, the connection might succeed but not be encrypted as |
| 115 | + intended, or be vulnerable to man-in-the-middle attacks that the |
| 116 | + intended connection parameters would have prevented. |
| 117 | + (CVE-2020-25694) |
| 118 | + </para> |
| 119 | + </listitem> |
| 120 | + |
| 121 | + <listitem> |
| 122 | +<!-- |
| 123 | +Author: Tom Lane <tgl@sss.pgh.pa.us> |
| 124 | +Branch: master [85c54287a] 2020-10-21 16:19:00 -0400 |
| 125 | +Branch: REL_13_STABLE [2e4af4110] 2020-10-21 16:19:00 -0400 |
| 126 | +Branch: REL_12_STABLE [f656517ec] 2020-10-21 16:19:01 -0400 |
| 127 | +Branch: REL_11_STABLE [20be76d5c] 2020-10-21 16:19:01 -0400 |
| 128 | +Branch: REL_10_STABLE [8175da6e7] 2020-10-21 16:19:02 -0400 |
| 129 | +Branch: REL9_6_STABLE [870a23230] 2020-10-21 16:18:41 -0400 |
| 130 | +Branch: REL9_5_STABLE [6997da09a] 2020-10-21 16:18:41 -0400 |
| 131 | +--> |
| 132 | + <para> |
| 133 | + When <application>psql</application>'s <command>\connect</command> |
| 134 | + command re-uses connection parameters, ensure that all |
| 135 | + non-overridden parameters from a previous connection string are |
| 136 | + re-used (Tom Lane) |
| 137 | + </para> |
| 138 | + |
| 139 | + <para> |
| 140 | + This avoids cases where reconnection might fail due to omission of |
| 141 | + relevant parameters, such as non-default SSL or GSS options. |
| 142 | + Worse, the reconnection might succeed but not be encrypted as |
| 143 | + intended, or be vulnerable to man-in-the-middle attacks that the |
| 144 | + intended connection parameters would have prevented. |
| 145 | + This is largely the same problem as just cited |
| 146 | + for <application>pg_dump</application> et al, |
| 147 | + although <application>psql</application>'s behavior is more complex |
| 148 | + since the user may intentionally override some connection |
| 149 | + parameters. |
| 150 | + (CVE-2020-25694) |
| 151 | + </para> |
| 152 | + </listitem> |
| 153 | + |
| 154 | + <listitem> |
| 155 | +<!-- |
| 156 | +Author: Noah Misch <noah@leadboat.com> |
| 157 | +Branch: master [098fb0079] 2020-11-09 07:32:09 -0800 |
| 158 | +Branch: REL_13_STABLE [67029845b] 2020-11-09 07:32:12 -0800 |
| 159 | +Branch: REL_12_STABLE [3855e5b47] 2020-11-09 07:32:13 -0800 |
| 160 | +Branch: REL_11_STABLE [7b356c78f] 2020-11-09 07:32:13 -0800 |
| 161 | +Branch: REL_10_STABLE [a498db87b] 2020-11-09 07:32:13 -0800 |
| 162 | +Branch: REL9_6_STABLE [12fd81cb7] 2020-11-09 07:32:14 -0800 |
| 163 | +Branch: REL9_5_STABLE [a54dfbee1] 2020-11-09 07:32:14 -0800 |
| 164 | +--> |
| 165 | + <para> |
| 166 | + Prevent <application>psql</application>'s <command>\gset</command> |
| 167 | + command from modifying specially-treated variables (Noah Misch) |
| 168 | + </para> |
| 169 | + |
| 170 | + <para> |
| 171 | + <command>\gset</command> without a prefix would overwrite whatever |
| 172 | + variables the server told it to. Thus, a compromised server could |
| 173 | + set specially-treated variables such as <varname>PROMPT1</varname>, |
| 174 | + giving the ability to execute arbitrary shell code in the user's |
| 175 | + session. |
| 176 | + </para> |
| 177 | + |
| 178 | + <para> |
| 179 | + The <productname>PostgreSQL</productname> Project thanks |
| 180 | + Nick Cleaton for reporting this problem. |
| 181 | + (CVE-2020-25696) |
| 182 | + </para> |
| 183 | + </listitem> |
| 184 | + |
| 185 | + <listitem> |
| 186 | +<!-- |
| 187 | +Author: Noah Misch <noah@leadboat.com> |
45 | 188 | Branch: master [566372b3d] 2020-08-15 10:15:53 -0700 |
46 | 189 | Branch: REL_13_STABLE Release: REL_13_0 [592a589a0] 2020-08-15 10:15:56 -0700 |
47 | 190 | Branch: REL_12_STABLE [30e68a2ab] 2020-08-15 10:15:56 -0700 |
@@ -564,79 +707,6 @@ Branch: REL9_5_STABLE [aff06436c] 2020-10-28 14:35:53 -0400 |
564 | 707 |
|
565 | 708 | <listitem> |
566 | 709 | <!-- |
567 | | -Author: Tom Lane <tgl@sss.pgh.pa.us> |
568 | | -Branch: master [a45bc8a4f] 2020-09-24 18:19:38 -0400 |
569 | | -Branch: REL_13_STABLE [cb8885ac4] 2020-09-24 18:19:38 -0400 |
570 | | -Branch: REL_12_STABLE [fb93f784f] 2020-09-24 18:19:38 -0400 |
571 | | -Branch: REL_11_STABLE [1738a61c8] 2020-09-24 18:19:39 -0400 |
572 | | -Branch: REL_10_STABLE [1888ff8d0] 2020-09-24 18:19:39 -0400 |
573 | | -Branch: REL9_6_STABLE [7c154f2fd] 2020-09-24 18:19:39 -0400 |
574 | | -Branch: REL9_5_STABLE [56b46d3a1] 2020-09-24 18:19:39 -0400 |
575 | | -Branch: master [8e5793ab6] 2020-10-19 19:03:46 -0400 |
576 | | -Branch: REL_13_STABLE [1814f915b] 2020-10-19 19:03:46 -0400 |
577 | | -Branch: REL_12_STABLE [c6d0b9b16] 2020-10-19 19:03:46 -0400 |
578 | | -Branch: REL_11_STABLE [5a9f99bed] 2020-10-19 19:03:47 -0400 |
579 | | -Branch: REL_10_STABLE [68f236993] 2020-10-19 19:03:47 -0400 |
580 | | -Branch: REL9_6_STABLE [5c78f7977] 2020-10-19 19:03:47 -0400 |
581 | | -Branch: REL9_5_STABLE [da129a04a] 2020-10-19 19:03:47 -0400 |
582 | | ---> |
583 | | - <para> |
584 | | - Fix usage of complex connection-string parameters |
585 | | - in <application>pg_dump</application>, |
586 | | - <application>pg_restore</application>, |
587 | | - <application>clusterdb</application>, |
588 | | - <application>reindexdb</application>, |
589 | | - and <application>vacuumdb</application> (Tom Lane) |
590 | | - </para> |
591 | | - |
592 | | - <para> |
593 | | - The <option>-d</option> parameter |
594 | | - of <application>pg_dump</application> |
595 | | - and <application>pg_restore</application>, or |
596 | | - the <option>--maintenance-db</option> parameter of the other |
597 | | - programs mentioned, can be a <quote>connection string</quote> |
598 | | - containing multiple connection parameters rather than just a |
599 | | - database name. In cases where these programs need to initiate |
600 | | - additional connections, such as parallel processing or processing of |
601 | | - multiple databases, the connection string was forgotten and just the |
602 | | - basic connection parameters (database name, host, port, and |
603 | | - username) were used for the additional connections. This could lead |
604 | | - to connection failures if the connection string included any other |
605 | | - essential information, such as non-default SSL or GSS parameters. |
606 | | - </para> |
607 | | - </listitem> |
608 | | - |
609 | | - <listitem> |
610 | | -<!-- |
611 | | -Author: Tom Lane <tgl@sss.pgh.pa.us> |
612 | | -Branch: master [85c54287a] 2020-10-21 16:19:00 -0400 |
613 | | -Branch: REL_13_STABLE [2e4af4110] 2020-10-21 16:19:00 -0400 |
614 | | -Branch: REL_12_STABLE [f656517ec] 2020-10-21 16:19:01 -0400 |
615 | | -Branch: REL_11_STABLE [20be76d5c] 2020-10-21 16:19:01 -0400 |
616 | | -Branch: REL_10_STABLE [8175da6e7] 2020-10-21 16:19:02 -0400 |
617 | | -Branch: REL9_6_STABLE [870a23230] 2020-10-21 16:18:41 -0400 |
618 | | -Branch: REL9_5_STABLE [6997da09a] 2020-10-21 16:18:41 -0400 |
619 | | ---> |
620 | | - <para> |
621 | | - When <application>psql</application>'s <command>\connect</command> |
622 | | - command re-uses connection parameters, ensure that all |
623 | | - non-overridden parameters from a previous connection string are |
624 | | - re-used (Tom Lane) |
625 | | - </para> |
626 | | - |
627 | | - <para> |
628 | | - This avoids cases where reconnection might fail due to omission of |
629 | | - relevant parameters, such as non-default SSL or GSS options. This |
630 | | - is largely the same problem as just cited |
631 | | - for <application>pg_dump</application> et al, |
632 | | - although <application>psql</application>'s behavior is more complex |
633 | | - since the user may intentionally override some connection |
634 | | - parameters. |
635 | | - </para> |
636 | | - </listitem> |
637 | | - |
638 | | - <listitem> |
639 | | -<!-- |
640 | 710 | Author: Andrew Dunstan <andrew@dunslane.net> |
641 | 711 | Branch: master [3eb3d3e78] 2020-09-04 13:54:54 -0400 |
642 | 712 | Branch: REL_13_STABLE Release: REL_13_0 [72857482c] 2020-09-04 13:55:11 -0400 |
|
0 commit comments