Last-minute updates for release notes.

Security: CVE-2020-1720

diff --git a/doc/src/sgml/release-11.sgml b/doc/src/sgml/release-11.sgml
index e91a4b922c8af6890d88780c92d380089cd7a6f2..aa78b396c5cc363526b4c30d2e0573d929809ce6 100644 (file)
--- a/doc/src/sgml/release-11.sgml
+++ b/doc/src/sgml/release-11.sgml
@@ -36,6 +36,30 @@
     
 
+     
+      Add missing permissions checks for ALTER ... DEPENDS ON
+      EXTENSION (Álvaro Herrera)
+     
+
+     
+      Marking an object as dependent on an extension did not have any
+      privilege check whatsoever.  This oversight allowed any user to mark
+      routines, triggers, materialized views, or indexes as droppable by
+      anyone able to drop an extension.  Require that the calling user own
+      the specified object (and hence have privilege to drop it).
+      (CVE-2020-1720)
+     
+    
+
+    
+
+     
+      Apply more thorough syntax checking
+      to createuser's
+      --connection-limit option (Álvaro Herrera)
+     
+    
+
+    
+