Last-minute updates for release notes.

Security: CVE-2022-2625

diff --git a/doc/src/sgml/release-13.sgml b/doc/src/sgml/release-13.sgml
index 715ae5a7874da6f99c30ddf651b357eba36fa571..f6868866be3e10a718e9070c29bfa8055c02a06f 100644 (file)
--- a/doc/src/sgml/release-13.sgml
+++ b/doc/src/sgml/release-13.sgml
@@ -35,6 +35,41 @@
 
     
 
+     
+      Do not let extension scripts replace objects not already belonging
+      to the extension (Tom Lane)
+     
+
+     
+      This change prevents extension scripts from doing CREATE
+      OR REPLACE if there is an existing object that does not
+      belong to the extension.  It also prevents CREATE IF NOT
+      EXISTS in the same situation.  This prevents a form of
+      trojan-horse attack in which a hostile database user could become
+      the owner of an extension object and then modify it to compromise
+      future uses of the object by other users.  As a side benefit, it
+      also reduces the risk of accidentally replacing objects one did
+      not mean to.
+     
+
+     
+      The PostgreSQL Project thanks
+      Sven Klemm for reporting this problem.
+      (CVE-2022-2625)
+     
+    
+
+    
+