Last-minute updates for release notes.

Security: CVE-2018-1115

diff --git a/doc/src/sgml/release-9.6.sgml b/doc/src/sgml/release-9.6.sgml
index e626b19f37944fac1c3a31cd9fabbe2f8ed73f4b..4165287057b4434d8a3db5e73272c5b01e30e424 100644 (file)
--- a/doc/src/sgml/release-9.6.sgml
+++ b/doc/src/sgml/release-9.6.sgml
@@ -23,9 +23,14 @@
    
 
    
-    However, if the function marking mistakes mentioned in the first two
-    changelog entries below affect you, you will want to take steps to
-    correct your database catalogs.
+    However, if you use the adminpack extension,
+    you should update it as per the first changelog entry below.
+   
+
+   
+    Also, if the function marking mistakes mentioned in the second and
+    third changelog entries below affect you, you will want to take steps
+    to correct your database catalogs.
    
 
    
@@ -39,6 +44,33 @@
 
    
 
+    
+     
+      Remove public execute privilege
+      from contrib/adminpack's
+      pg_logfile_rotate() function (Stephen Frost)
+     
+
+     
+      pg_logfile_rotate() is a deprecated wrapper
+      for the core function pg_rotate_logfile().
+      When that function was changed to rely on SQL privileges for access
+      control rather than a hard-coded superuser
+      check, pg_logfile_rotate() should have been
+      updated as well, but the need for this was missed.  Hence,
+      if adminpack is installed, any user could
+      request a logfile rotation, creating a minor security issue.
+     
+
+     
+      After installing this update, administrators should
+      update adminpack by performing
+      ALTER EXTENSION adminpack UPDATE in each
+      database in which adminpack is installed.
+      (CVE-2018-1115)
+     
+    
+
     
      
       Fix incorrect volatility markings on a few built-in functions