diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2021-05-10 13:10:29 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2021-05-10 13:10:29 -0400 |
| commit | 25387cc56d344eaa9545b8233496296cf6087477 (patch) | |
| tree | 915b4a88a695f9784f82cf2f04b0953b276300a2 | |
| parent | 52a4413627319980843bb8f375f28c7f01c45e18 (diff) | |
| download | postgresql-25387cc56d344eaa9545b8233496296cf6087477.tar.gz postgresql-25387cc56d344eaa9545b8233496296cf6087477.zip | |
Last-minute updates for release notes.
Security: CVE-2021-32027, CVE-2021-32028, CVE-2021-32029
| -rw-r--r-- | doc/src/sgml/release-10.sgml | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml index cbfc7a622f8..77da2dcd3e8 100644 --- a/doc/src/sgml/release-10.sgml +++ b/doc/src/sgml/release-10.sgml @@ -36,6 +36,69 @@ <listitem> <!-- Author: Tom Lane <tgl@sss.pgh.pa.us> +Branch: master [f02b9085a] 2021-05-10 10:44:38 -0400 +Branch: REL_13_STABLE [467395bfd] 2021-05-10 10:44:38 -0400 +Branch: REL_12_STABLE [3b0f6a7ae] 2021-05-10 10:44:38 -0400 +Branch: REL_11_STABLE [06bfbe854] 2021-05-10 10:44:38 -0400 +Branch: REL_10_STABLE [2fb809d3e] 2021-05-10 10:44:38 -0400 +Branch: REL9_6_STABLE [0c1caa48d] 2021-05-10 10:44:38 -0400 +--> + <para> + Prevent integer overflows in array subscripting calculations + (Tom Lane) + </para> + + <para> + The array code previously did not complain about cases where an + array's lower bound plus length overflows an integer. This resulted + in later entries in the array becoming inaccessible (since their + subscripts could not be written as integers), but more importantly + it confused subsequent assignment operations. This could lead to + memory overwrites, with ensuing crashes or unwanted data + modifications. + (CVE-2021-32027) + </para> + </listitem> + + <listitem> +<!-- +Author: Tom Lane <tgl@sss.pgh.pa.us> +Branch: master [049e1e2ed] 2021-05-10 11:02:29 -0400 +Branch: REL_13_STABLE [4a8656a7e] 2021-05-10 11:02:29 -0400 +Branch: REL_12_STABLE [a5fa3e067] 2021-05-10 11:02:29 -0400 +Branch: REL_11_STABLE [b7d1f32ff] 2021-05-10 11:02:29 -0400 +Branch: REL_10_STABLE [52a441362] 2021-05-10 11:02:30 -0400 +Branch: REL9_6_STABLE [0fcb8e2e0] 2021-05-10 11:02:30 -0400 +--> + <para> + Fix mishandling of <quote>junk</quote> columns in <literal>INSERT + ... ON CONFLICT ... UPDATE</literal> target lists (Tom Lane) + </para> + + <para> + If the <literal>UPDATE</literal> list contains any multi-column + sub-selects (which give rise to junk columns in addition to the + results proper), the <literal>UPDATE</literal> path would end up + storing tuples that include the values of the extra junk columns. + That's fairly harmless in the short run, but if new columns are + added to the table then the values would become accessible, possibly + leading to malfunctions if they don't match the datatypes of the + added columns. + </para> + + <para> + In addition, in versions supporting cross-partition updates, + a cross-partition update triggered by such a case had the reverse + problem: the junk columns were removed from the target list, + typically causing an immediate crash due to malfunction of the + multi-column sub-select mechanism. + (CVE-2021-32028) + </para> + </listitem> + + <listitem> +<!-- +Author: Tom Lane <tgl@sss.pgh.pa.us> Branch: master [f52c5d674] 2021-03-12 11:08:42 -0500 Branch: REL_13_STABLE [8a2297776] 2021-03-12 11:08:42 -0500 Branch: REL_12_STABLE [e7f7950f6] 2021-03-12 11:08:42 -0500 |