- However, see the first two changelog items below,
- which describe cases in which reindexing indexes after the upgrade
- may be advisable.
+ However, see the first changelog item below concerning a possible
+ need to update stored views. Also see the third and fourth changelog
+ items, which describe cases in which reindexing indexes after the
+ upgrade may be advisable.
+ Fix failure to check per-column SELECT privileges
+ in some join queries (Tom Lane)
+
+
+ In some cases involving joins, the parser failed to record all the
+ columns read by a query in the column-usage bitmaps that are used
+ for permissions checking. Although the executor would still insist
+ on some sort of SELECT privilege to run the
+ query, this meant that a user having SELECT
+ privilege on only one column of a table could nonetheless read all
+ its columns through a suitably crafted query.
+
+
+ A stored view that is subject to this problem will have incomplete
+ column-usage bitmaps, and thus permissions will still not be
+ enforced properly on the view after updating. In installations that
+ depend on column-level permissions for security, it is recommended
+ to CREATE OR REPLACE all user-defined views to
+ cause them to be re-parsed.
+
+
+ The
PostgreSQL Project thanks
+ Sven Klemm for reporting this problem.
+ (CVE-2021-20229)
+
+
+
+
+
+ Fix information leakage in constraint-violation error messages
+ (Heikki Linnakangas)
+
+
+ If an UPDATE command attempts to move a row to a
+ different partition but finds that it violates some constraint on
+ the new partition, and the columns in that partition are in
+ different physical positions than in the parent table, the error
+ message could reveal the contents of columns that the user does not
+ have SELECT privilege on.
+ (CVE-2021-3393)
+
+
+
+
+
projects / postgresql.git / commitdiff