Last-minute updates for release notes.

Security: CVE-2018-1052, CVE-2018-1053

diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml
index 6d589e5d560c96a81d429e2a9c274edc77058087..dbb1a9b2e6d6adc6af59da5c24bf037fd2435aa7 100644 (file)
--- a/doc/src/sgml/release-10.sgml
+++ b/doc/src/sgml/release-10.sgml
@@ -41,6 +41,55 @@
 
     
 
+     
+      Fix processing of partition keys containing multiple expressions
+      (Álvaro Herrera, David Rowley)
+     
+
+     
+      This error led to crashes or, with carefully crafted input, disclosure
+      of arbitrary backend memory.
+      (CVE-2018-1052)
+     
+    
+
+    
+
+     
+      Ensure that all temporary files made
+      by pg_upgrade are non-world-readable
+      (Tom Lane, Noah Misch)
+     
+
+     
+      pg_upgrade normally restricts its
+      temporary files to be readable and writable only by the calling user.
+      But the temporary file containing pg_dumpall -g
+      output would be group- or world-readable, or even writable, if the
+      user's umask setting allows.  In typical usage on
+      multi-user machines, the umask and/or the working
+      directory's permissions would be tight enough to prevent problems;
+      but there may be people using pg_upgrade
+      in scenarios where this oversight would permit disclosure of database
+      passwords to unfriendly eyes.
+      (CVE-2018-1053)
+     
+    
+
+    
+