Last-minute updates for release notes.

Security: CVE-2022-41862

diff --git a/doc/src/sgml/release-14.sgml b/doc/src/sgml/release-14.sgml
index f4d6d11ca4d121bd8973da01ba98a8415028a4d8..f8d317034c2057231bbece27ed64b9c9cf2b781a 100644 (file)
--- a/doc/src/sgml/release-14.sgml
+++ b/doc/src/sgml/release-14.sgml
@@ -35,6 +35,35 @@
 
     
 
+     
+      libpq can leak memory contents after
+      GSSAPI transport encryption initiation fails (Jacob Champion)
+     
+
+     
+      A modified server, or an unauthenticated man-in-the-middle, can
+      send a not-zero-terminated error message during setup of GSSAPI
+      (Kerberos) transport encryption.  libpq
+      will then copy that string, as well as following bytes in
+      application memory up to the next zero byte, to its error report.
+      Depending on what the calling application does with the error
+      report, this could result in disclosure of application memory
+      contents.  There is also a small probability of a crash due to
+      reading beyond the end of memory.  Fix by properly zero-terminating
+      the server message.
+      (CVE-2022-41862)
+     
+    
+
+    
+