Last-minute updates for release notes.

Security: CVE-2019-10164

diff --git a/doc/src/sgml/release-11.sgml b/doc/src/sgml/release-11.sgml
index b11741bfd34e50a700296c49e40ec725d56c6789..28cc7a3e6d8e88a015e9816937c6da7331d3ca7e 100644 (file)
--- a/doc/src/sgml/release-11.sgml
+++ b/doc/src/sgml/release-11.sgml
@@ -35,6 +35,43 @@
 
     
 
+     
+      Fix buffer-overflow hazards in SCRAM verifier parsing
+      (Jonathan Katz, Heikki Linnakangas, Michael Paquier)
+     
+
+     
+      Any authenticated user could cause a stack-based buffer overflow by
+      changing their own password to a purpose-crafted value.  In addition
+      to the ability to crash the PostgreSQL
+      server, this could suffice for executing arbitrary code as
+      the PostgreSQL operating system account.
+     
+
+     
+      A similar overflow hazard existed
+      in libpq, which could allow a rogue
+      server to crash a client or perhaps execute arbitrary code as the
+      client's operating system account.
+     
+
+     
+      The PostgreSQL Project thanks Alexander
+      Lakhin for reporting this problem.  (CVE-2019-10164)
+     
+    
+
+    
+
-     
-      Avoid spurious deadlock failures when upgrading a tuple lock (Oleksii
-      Kliukin)
-     
-    
-
-    
-