From d03c0413343ac5a79bc2f6ee5abc84c873efd863 Mon Sep 17 00:00:00 2001
From: Tom Lane
Date: Mon, 5 Aug 2019 11:49:14 -0400
Subject: Last-minute updates for release notes.
Security: CVE-2019-10208, CVE-2019-10209
---
doc/src/sgml/release-11.sgml | 56 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 56 insertions(+)
diff --git a/doc/src/sgml/release-11.sgml b/doc/src/sgml/release-11.sgml
index e651b3f4975..61e00ee5709 100644
--- a/doc/src/sgml/release-11.sgml
+++ b/doc/src/sgml/release-11.sgml
@@ -35,6 +35,62 @@
+
+ Require schema qualification to cast to a temporary type when using
+ functional cast syntax (Noah Misch)
+
+
+
+ We have long required invocations of temporary functions to
+ explicitly specify the temporary schema, that
+ is pg_temp.func_name(args).
+ Require this as well for casting to temporary types using functional
+ notation, for
+ example pg_temp.type_name(arg).
+ Otherwise it's possible to capture a function call using a temporary
+ object, allowing privilege escalation in much the same ways that we
+ blocked in CVE-2007-2138.
+ (CVE-2019-10208)
+
+
+
+
+
+
+ Fix execution of hashed subplans that require cross-type comparison
+ (Tom Lane, Andreas Seltenreich)
+
+
+
+ Hashed subplans used the outer query's original comparison operator
+ to compare entries of the hash table. This is the wrong thing if
+ that operator is cross-type, since all the hash table entries will
+ be of the subquery's output type. For the set of hashable
+ cross-type operators in core PostgreSQL,
+ this mistake seems nearly harmless on 64-bit machines, but it can
+ result in crashes or perhaps unauthorized disclosure of server
+ memory on 32-bit machines. Extensions might provide hashable
+ cross-type operators that create larger risks.
+ (CVE-2019-10209)
+
+
+
+
+