Last-minute updates for release notes.

author Tom Lane

Mon, 5 Aug 2024 18:03:20 +0000 (14:03 -0400)

committer Tom Lane

Mon, 5 Aug 2024 18:03:20 +0000 (14:03 -0400)
author Tom Lane
Mon, 5 Aug 2024 18:03:20 +0000 (14:03 -0400)
committer Tom Lane
Mon, 5 Aug 2024 18:03:20 +0000 (14:03 -0400)
diff --git a/doc/src/sgml/release-14.sgml b/doc/src/sgml/release-14.sgml

index ac7683887343b0cb0b6427770f54b0fe58a9e675..a535409aa7d9fe5058e572ee5318a7bf34a58475 100644 (file)
--- a/doc/src/sgml/release-14.sgml
+++ b/doc/src/sgml/release-14.sgml
@@ -35,6 +35,45 @@
  
      
  
+     
+      Prevent unauthorized code execution
+      during pg_dump (Masahiko Sawada)
+     
+
+     
+      An attacker able to create and drop non-temporary objects could
+      inject SQL code that would be executed by a
+      concurrent pg_dump session with the
+      privileges of the role running pg_dump
+      (which is often a superuser).  The attack involves replacing a
+      sequence or similar object with a view or foreign table that will
+      execute malicious code.  To prevent this, introduce a new server
+      parameter restrict_nonsystem_relation_kind that
+      can disable expansion of non-builtin views as well as access to
+      foreign tables, and teach pg_dump to set
+      it when available.  Note that the attack is prevented only if
+      both pg_dump and the server it is dumping
+      from are new enough to have this fix.
+     
+
+     
+      The PostgreSQL Project thanks
+      Noah Misch for reporting this problem.
+      (CVE-2024-7348)
+     
+    
+
+    
+
author	Tom Lane
	Mon, 5 Aug 2024 18:03:20 +0000 (14:03 -0400)
committer	Tom Lane
	Mon, 5 Aug 2024 18:03:20 +0000 (14:03 -0400)