Last-minute updates for release notes.

Security: CVE-2019-10208, CVE-2019-10209

diff --git a/doc/src/sgml/release-11.sgml b/doc/src/sgml/release-11.sgml
index e651b3f4975c8c280e145ceef3b0e0e82c77db2b..61e00ee5709337003e73fbfc32bc460aa2be60a3 100644 (file)
--- a/doc/src/sgml/release-11.sgml
+++ b/doc/src/sgml/release-11.sgml
@@ -35,6 +35,62 @@
 
     
 
+     
+      Require schema qualification to cast to a temporary type when using
+      functional cast syntax (Noah Misch)
+     
+
+     
+      We have long required invocations of temporary functions to
+      explicitly specify the temporary schema, that
+      is pg_temp.func_name(args).
+      Require this as well for casting to temporary types using functional
+      notation, for
+      example pg_temp.type_name(arg).
+      Otherwise it's possible to capture a function call using a temporary
+      object, allowing privilege escalation in much the same ways that we
+      blocked in CVE-2007-2138.
+      (CVE-2019-10208)
+     
+    
+
+    
+
+     
+      Fix execution of hashed subplans that require cross-type comparison
+      (Tom Lane, Andreas Seltenreich)
+     
+
+     
+      Hashed subplans used the outer query's original comparison operator
+      to compare entries of the hash table.  This is the wrong thing if
+      that operator is cross-type, since all the hash table entries will
+      be of the subquery's output type.  For the set of hashable
+      cross-type operators in core PostgreSQL,
+      this mistake seems nearly harmless on 64-bit machines, but it can
+      result in crashes or perhaps unauthorized disclosure of server
+      memory on 32-bit machines.  Extensions might provide hashable
+      cross-type operators that create larger risks.
+      (CVE-2019-10209)
+     
+    
+
+    
+