Last-minute updates for release notes.

Security: CVE-2022-2625

diff --git a/doc/src/sgml/release-14.sgml b/doc/src/sgml/release-14.sgml
index e7da94b025a91c4b52a91007a3386eba18ee871b..b5f9110981296b344c344e12479394dacf6871d3 100644 (file)
--- a/doc/src/sgml/release-14.sgml
+++ b/doc/src/sgml/release-14.sgml
@@ -35,6 +35,41 @@
 
     
 
+     
+      Do not let extension scripts replace objects not already belonging
+      to the extension (Tom Lane)
+     
+
+     
+      This change prevents extension scripts from doing CREATE
+      OR REPLACE if there is an existing object that does not
+      belong to the extension.  It also prevents CREATE IF NOT
+      EXISTS in the same situation.  This prevents a form of
+      trojan-horse attack in which a hostile database user could become
+      the owner of an extension object and then modify it to compromise
+      future uses of the object by other users.  As a side benefit, it
+      also reduces the risk of accidentally replacing objects one did
+      not mean to.
+     
+
+     
+      The PostgreSQL Project thanks
+      Sven Klemm for reporting this problem.
+      (CVE-2022-2625)
+     
+    
+
+    
+