Last-minute updates for release notes.

Security: CVE-2022-1552

diff --git a/doc/src/sgml/release-13.sgml b/doc/src/sgml/release-13.sgml
index 42da1b504604cd12b608611b31173a91d6a86383..3f95cb18516e58d9b9b14c73c939bfde2c70fe36 100644 (file)
--- a/doc/src/sgml/release-13.sgml
+++ b/doc/src/sgml/release-13.sgml
@@ -26,7 +26,7 @@
     However, if you have any GiST indexes on columns of type
     ltree (supplied by the contrib/ltree
     extension), you should re-index them after updating.
-    See the first changelog entry below.
+    See the second changelog entry below.
    
 
    
@@ -42,6 +42,49 @@
 
     
 
+     
+      Confine additional operations within security restricted
+      operation sandboxes (Sergey Shinderuk, Noah Misch)
+     
+
+     
+      Autovacuum, CLUSTER, CREATE
+      INDEX, REINDEX, REFRESH
+      MATERIALIZED VIEW,
+      and pg_amcheck activated
+      the security restricted operation protection
+      mechanism too late, or even not at all in some code paths.
+      A user having permission to create non-temporary objects within a
+      database could define an object that would execute arbitrary SQL
+      code with superuser permissions the next time that autovacuum
+      processed the object, or that some superuser ran one of the affected
+      commands against it.
+     
+
+     
+      The PostgreSQL Project thanks
+      Alexander Lakhin for reporting this problem.
+      (CVE-2022-1552)
+     
+    
+
+    
+
-     
-      Disallow infinite endpoints in the timestamp variants
-      of generate_series() (Tom Lane)
-     
-
-     
-      Previously, such a call would run until canceled (or
-      out-of-disk-space).  The numeric variant already threw an error for
-      an infinite endpoint value, so do likewise for timestamps.
-     
-    
-
-    
-
+     
+      Avoid core dump in parser for a VALUES clause with
+      zero columns (Tom Lane)
+     
+    
+
+    
+