Last-minute updates for release notes.

Security: CVE-2024-4317

1 files changed, 94 insertions, 1 deletions

diff --git a/doc/src/sgml/release-15.sgml b/doc/src/sgml/release-15.sgml
index 196973462b9..e74161cb808 100644
--- a/doc/src/sgml/release-15.sgml
+++ b/doc/src/sgml/release-15.sgml
@@ -23,7 +23,16 @@
    </para>
 
    <para>
-    However, if you are upgrading from a version earlier than 15.6,
+    However, a security vulnerability was found in the system
+    views <structname>pg_stats_ext</structname>
+    and <structname>pg_stats_ext_exprs</structname>, potentially allowing
+    authenticated database users to see data they shouldn't.  If this is
+    of concern in your installation, follow the steps in the first
+    changelog entry below to rectify it.
+   </para>
+
+   <para>
+    Also, if you are upgrading from a version earlier than 15.6,
     see <xref linkend="release-15-6"/>.
    </para>
   </sect2>
@@ -35,6 +44,90 @@
 
     <listitem>
 <!--
+Author: Nathan Bossart <nathan@postgresql.org>
+Branch: master [521a7156a] 2024-05-06 09:00:00 -0500
+Branch: REL_16_STABLE [2485a85e9] 2024-05-06 09:00:07 -0500
+Branch: REL_15_STABLE [9cc2b6289] 2024-05-06 09:00:13 -0500
+Branch: REL_14_STABLE [c3425383b] 2024-05-06 09:00:19 -0500
+-->
+     <para>
+      Restrict visibility of <structname>pg_stats_ext</structname> and
+      <structname>pg_stats_ext_exprs</structname> entries to the table
+      owner (Nathan Bossart)
+     </para>
+
+     <para>
+      These views failed to hide statistics for expressions that involve
+      columns the accessing user does not have permission to read.  View
+      columns such as <structfield>most_common_vals</structfield> might
+      expose security-relevant data.  The potential interactions here are
+      not fully clear, so in the interest of erring on the side of safety,
+      make rows in these views visible only to the owner of the associated
+      table.
+     </para>
+
+     <para>
+      The <productname>PostgreSQL</productname> Project thanks
+      Lukas Fittl for reporting this problem.
+      (CVE-2024-4317)
+     </para>
+
+     <para>
+      By itself, this fix will only fix the behavior in newly initdb'd
+      database clusters.  If you wish to apply this change in an existing
+      cluster, you will need to do the following:
+     </para>
+
+     <procedure>
+      <step>
+       <para>
+        Find the SQL script <filename>fix-CVE-2024-4317.sql</filename> in
+        the <replaceable>share</replaceable> directory of
+        the <productname>PostgreSQL</productname> installation (typically
+        located someplace like <filename>/usr/share/postgresql/</filename>).
+        Be sure to use the script appropriate to
+        your <productname>PostgreSQL</productname> major version.
+        If you do not see this file, either your version is not vulnerable
+        (only v14&ndash;v16 are affected) or your minor version is too
+        old to have the fix.
+       </para>
+      </step>
+
+      <step>
+       <para>
+        In <emphasis>each</emphasis> database of the cluster, run
+        the <filename>fix-CVE-2024-4317.sql</filename> script as superuser.
+        In <application>psql</application> this would look like
+<programlisting>
+\i /usr/share/postgresql/fix-CVE-2024-4317.sql
+</programlisting>
+        (adjust the file path as appropriate).  Any error probably indicates
+        that you've used the wrong script version.  It will not hurt to run
+        the script more than once.
+       </para>
+      </step>
+
+      <step>
+       <para>
+        Do not forget to include the <literal>template0</literal>
+        and <literal>template1</literal> databases, or the vulnerability
+        will still exist in databases you create later.  To
+        fix <literal>template0</literal>, you'll need to temporarily make
+        it accept connections.  Do that with
+<programlisting>
+ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
+</programlisting>
+        and then after fixing <literal>template0</literal>, undo it with
+<programlisting>
+ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
+</programlisting>
+       </para>
+      </step>
+     </procedure>
+    </listitem>
+
+    <listitem>
+<!--
 Author: Tom Lane <tgl@sss.pgh.pa.us>
 Branch: master [b4a71cf65] 2024-03-14 14:57:16 -0400
 Branch: REL_16_STABLE [52898c63e] 2024-03-14 14:57:16 -0400