Last-minute updates for release notes.

Security: CVE-2019-10164

diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml
index 5f5e6f4c4a67651f364e808c9683f7ce3aa286fb..126a89e407649ec2f4410758063aad55da7c7f81 100644 (file)
--- a/doc/src/sgml/release-10.sgml
+++ b/doc/src/sgml/release-10.sgml
@@ -35,6 +35,43 @@
 
     
 
+     
+      Fix buffer-overflow hazards in SCRAM verifier parsing
+      (Jonathan Katz, Heikki Linnakangas, Michael Paquier)
+     
+
+     
+      Any authenticated user could cause a stack-based buffer overflow by
+      changing their own password to a purpose-crafted value.  In addition
+      to the ability to crash the PostgreSQL
+      server, this could suffice for executing arbitrary code as
+      the PostgreSQL operating system account.
+     
+
+     
+      A similar overflow hazard existed
+      in libpq, which could allow a rogue
+      server to crash a client or perhaps execute arbitrary code as the
+      client's operating system account.
+     
+
+     
+      The PostgreSQL Project thanks Alexander
+      Lakhin for reporting this problem.  (CVE-2019-10164)
+     
+    
+
+    
+
-     
-      Avoid spurious deadlock failures when upgrading a tuple lock (Oleksii
-      Kliukin)
-     
-    
-
-    
-