Last-minute updates for release notes.

Security: CVE-2018-1115

diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml
index 635509c3fa802f6124cf09b74e89633ca039cbae..bdaeb95ec598f35b9c7333bbb1b408ec97472587 100644 (file)
--- a/doc/src/sgml/release-10.sgml
+++ b/doc/src/sgml/release-10.sgml
@@ -23,9 +23,14 @@
    
 
    
-    However, if the function marking mistakes mentioned in the first two
-    changelog entries below affect you, you will want to take steps to
-    correct your database catalogs.
+    However, if you use the adminpack extension,
+    you should update it as per the first changelog entry below.
+   
+
+   
+    Also, if the function marking mistakes mentioned in the second and
+    third changelog entries below affect you, you will want to take steps
+    to correct your database catalogs.
    
 
    
@@ -41,6 +46,39 @@
 
     
 
+     
+      Remove public execute privilege
+      from contrib/adminpack's
+      pg_logfile_rotate() function (Stephen Frost)
+     
+
+     
+      pg_logfile_rotate() is a deprecated wrapper
+      for the core function pg_rotate_logfile().
+      When that function was changed to rely on SQL privileges for access
+      control rather than a hard-coded superuser
+      check, pg_logfile_rotate() should have been
+      updated as well, but the need for this was missed.  Hence,
+      if adminpack is installed, any user could
+      request a logfile rotation, creating a minor security issue.
+     
+
+     
+      After installing this update, administrators should
+      update adminpack by performing
+      ALTER EXTENSION adminpack UPDATE in each
+      database in which adminpack is installed.
+      (CVE-2018-1115)
+     
+    
+
+    
+