projects / postgresql.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b1b585e)
Last-minute updates for release notes.
authorTom Lane
Mon, 7 Aug 2023 16:50:15 +0000 (12:50 -0400)
committerTom Lane
Mon, 7 Aug 2023 16:50:15 +0000 (12:50 -0400)
Security: CVE-2023-39417, CVE-2023-39418

doc/src/sgml/release-13.sgml patch | blob | blame | history

diff --git a/doc/src/sgml/release-13.sgml b/doc/src/sgml/release-13.sgml
index 500a7d0bb84644ec592a90e2d8a7f5af32605a19..03738a70322abf93e21a04b885fe1c78b1df29dd 100644 (file)
--- a/doc/src/sgml/release-13.sgml
+++ b/doc/src/sgml/release-13.sgml
@@ -24,7 +24,7 @@
 
    
     However, if you use BRIN indexes, it may be advisable to reindex them;
-    see the first changelog entry below.
+    see the second changelog entry below.
    
 
    
@@ -40,6 +40,35 @@
 
     
 
+     
+      Disallow substituting a schema or owner name into an extension script
+      if the name contains a quote, backslash, or dollar sign (Noah Misch)
+     
+
+     
+      This restriction guards against SQL-injection hazards for trusted
+      extensions.
+     
+
+     
+      The PostgreSQL Project thanks Micah Gate,
+      Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting
+      this problem.
+      (CVE-2023-39417)
+     
+    
+
+    
+