open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Last-minute updates for release notes.

Browse Source 
Security: CVE-2024-0985 (not CVE-2023-5869 as claimed in prior commit msg)
REL_16_STABLE
Tom Lane 2 years ago
parent 246d16eb87
commit da21a3a7d5
1 changed files with 44 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 44
      doc/src/sgml/release-16.sgml

44
doc/src/sgml/release-16.sgml
Unescape View File

@ -41,6 +41,50 @@
<listitem>
<!--
Author: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Branch: master [5a9167c39] 2024-02-05 11:01:23 +0200
Branch: REL_16_STABLE [d6a61cb3b] 2024-02-05 11:02:56 +0200
Branch: REL_15_STABLE [f2fdea198] 2024-02-05 11:03:26 +0200
Branch: REL_14_STABLE [f4f288352] 2024-02-05 11:03:43 +0200
Branch: REL_13_STABLE [d541ce3b6] 2024-02-05 11:04:08 +0200
Branch: REL_12_STABLE [2699fc035] 2024-02-05 11:04:22 +0200
Branch: master [b96115acb] 2024-02-05 11:01:30 +0200
Branch: REL_16_STABLE [fb3836855] 2024-02-05 11:03:03 +0200
Branch: REL_15_STABLE [06f36bc01] 2024-02-05 11:03:28 +0200
Branch: REL_14_STABLE [a45c950ae] 2024-02-05 11:03:43 +0200
Branch: REL_13_STABLE [b73d21648] 2024-02-05 11:04:10 +0200
Branch: REL_12_STABLE [add8bc9b8] 2024-02-05 11:04:23 +0200
-->
<para>
Tighten security restrictions within <command>REFRESH MATERIALIZED
VIEW CONCURRENTLY</command> (Heikki Linnakangas)
</para>
<para>
One step of a concurrent refresh command was run under weak security
restrictions. If a materialized view's owner could persuade a
superuser or other high-privileged user to perform a concurrent
refresh on that view, the view's owner could control code executed
with the privileges of the user running <command>REFRESH</command>.
Fix things so that all user-determined code is run as the view's
owner, as expected.
</para>
<para>
The only known exploit for this error does not work
in <productname>PostgreSQL</productname> 16.0 and later, so it may
be that v16 is not vulnerable in practice.
</para>
<para>
The <productname>PostgreSQL</productname> Project thanks Pedro
Gallegos for reporting this problem.
(CVE-2024-0985) <!-- not CVE-2023-5869 as claimed in commit msg -->
</para>
</listitem>
<listitem>
<!--
Author: Daniel Gustafsson <dgustafsson@postgresql.org>
Branch: master [9dce22033] 2023-09-27 13:02:21 +0200
Branch: REL_16_STABLE [2cf50585e] 2023-11-17 10:18:38 +0100

Write Preview
Loading…
Cancel
Save