Last-minute updates for release notes.

Security: CVE-2024-4317

diff --git a/doc/src/sgml/release-14.sgml b/doc/src/sgml/release-14.sgml
index a03163f4f8c0b4a8661c2940171065a9c2ec3a31..53f6ced486ec0e4a021ce4ca2f0604257d1e2642 100644 (file)
--- a/doc/src/sgml/release-14.sgml
+++ b/doc/src/sgml/release-14.sgml
@@ -23,7 +23,16 @@
    
 
    
-    However, if you are upgrading from a version earlier than 14.11,
+    However, a security vulnerability was found in the system
+    views pg_stats_ext
+    and pg_stats_ext_exprs, potentially allowing
+    authenticated database users to see data they shouldn't.  If this is
+    of concern in your installation, follow the steps in the first
+    changelog entry below to rectify it.
+   
+
+   
+    Also, if you are upgrading from a version earlier than 14.11,
     see .
    
   
@@ -35,6 +44,90 @@
 
     
 
+     
+      Restrict visibility of pg_stats_ext and
+      pg_stats_ext_exprs entries to the table
+      owner (Nathan Bossart)
+     
+
+     
+      These views failed to hide statistics for expressions that involve
+      columns the accessing user does not have permission to read.  View
+      columns such as most_common_vals might
+      expose security-relevant data.  The potential interactions here are
+      not fully clear, so in the interest of erring on the side of safety,
+      make rows in these views visible only to the owner of the associated
+      table.
+     
+
+     
+      The PostgreSQL Project thanks
+      Lukas Fittl for reporting this problem.
+      (CVE-2024-4317)
+     
+
+     
+      By itself, this fix will only fix the behavior in newly initdb'd
+      database clusters.  If you wish to apply this change in an existing
+      cluster, you will need to do the following:
+     
+
+     
+      
+       
+        Find the SQL script fix-CVE-2024-4317.sql in
+        the share directory of
+        the PostgreSQL installation (typically
+        located someplace like /usr/share/postgresql/).
+        Be sure to use the script appropriate to
+        your PostgreSQL major version.
+        If you do not see this file, either your version is not vulnerable
+        (only v14–v16 are affected) or your minor version is too
+        old to have the fix.
+       
+      
+
+      
+       
+        In each database of the cluster, run
+        the fix-CVE-2024-4317.sql script as superuser.
+        In psql this would look like
+
+\i /usr/share/postgresql/fix-CVE-2024-4317.sql
+
+        (adjust the file path as appropriate).  Any error probably indicates
+        that you've used the wrong script version.  It will not hurt to run
+        the script more than once.
+       
+      
+
+      
+       
+        Do not forget to include the template0
+        and template1 databases, or the vulnerability
+        will still exist in databases you create later.  To
+        fix template0, you'll need to temporarily make
+        it accept connections.  Do that with
+
+ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
+
+        and then after fixing template0, undo it with
+
+ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
+
+       
+      
+     
+    
+
+    
+