+ Block DECLARE CURSOR ... WITH HOLD and firing of
+ deferred triggers within index expressions and materialized view
+ queries (Noah Misch)
+
+
+ This is essentially a leak in the security restricted
+ operation sandbox mechanism. An attacker having permission
+ to create non-temporary SQL objects could parlay this leak to
+ execute arbitrary SQL code as a superuser.
+
+
+ The
PostgreSQL Project thanks
+ Etienne Stalmans for reporting this problem.
+ (CVE-2020-25695)
+
+
+
+
+
+ Fix usage of complex connection-string parameters
+ and
vacuumdb (Tom Lane)
+
+
+ The parameter
+ the parameter of the other
+ programs mentioned, can be a connection string
+ containing multiple connection parameters rather than just a
+ database name. In cases where these programs need to initiate
+ additional connections, such as parallel processing or processing of
+ multiple databases, the connection string was forgotten and just the
+ basic connection parameters (database name, host, port, and
+ username) were used for the additional connections. This could lead
+ to connection failures if the connection string included any other
+ essential information, such as non-default SSL or GSS parameters.
+ Worse, the connection might succeed but not be encrypted as
+ intended, or be vulnerable to man-in-the-middle attacks that the
+ intended connection parameters would have prevented.
+ (CVE-2020-25694)
+
+
+
+
+
+ command re-uses connection parameters, ensure that all
+ non-overridden parameters from a previous connection string are
+ re-used (Tom Lane)
+
+
+ This avoids cases where reconnection might fail due to omission of
+ relevant parameters, such as non-default SSL or GSS options.
+ Worse, the reconnection might succeed but not be encrypted as
+ intended, or be vulnerable to man-in-the-middle attacks that the
+ intended connection parameters would have prevented.
+ This is largely the same problem as just cited
+ although
psql's behavior is more complex
+ since the user may intentionally override some connection
+ parameters.
+ (CVE-2020-25694)
+
+
+
+
+
+ command from modifying specially-treated variables (Noah Misch)
+
+
+ \gset without a prefix would overwrite whatever
+ variables the server told it to. Thus, a compromised server could
+ set specially-treated variables such as PROMPT1,
+ giving the ability to execute arbitrary shell code in the user's
+ session.
+
+
+ The
PostgreSQL Project thanks
+ Nick Cleaton for reporting this problem.
+ (CVE-2020-25696)
+
+
+
+
+
- Fix usage of complex connection-string parameters
- and
vacuumdb (Tom Lane)
-
-
- The parameter
- the parameter of the other
- programs mentioned, can be a connection string
- containing multiple connection parameters rather than just a
- database name. In cases where these programs need to initiate
- additional connections, such as parallel processing or processing of
- multiple databases, the connection string was forgotten and just the
- basic connection parameters (database name, host, port, and
- username) were used for the additional connections. This could lead
- to connection failures if the connection string included any other
- essential information, such as non-default SSL or GSS parameters.
-
-
-
-
-
- command re-uses connection parameters, ensure that all
- non-overridden parameters from a previous connection string are
- re-used (Tom Lane)
-
-
- This avoids cases where reconnection might fail due to omission of
- relevant parameters, such as non-default SSL or GSS options. This
- is largely the same problem as just cited
- although
psql's behavior is more complex
- since the user may intentionally override some connection
- parameters.
-
-
-
-
-
projects / postgresql.git / commitdiff