From: Tom Lane Date: Mon, 5 Aug 2024 18:03:20 +0000 (-0400) Subject: Last-minute updates for release notes. X-Git-Tag: REL_12_20~1 X-Git-Url: http://git.postgresql.org/gitweb/?a=commitdiff_plain;h=1b85e65846aa16ede7aeddd67a9bd16ec73a18ae;p=postgresql.git Last-minute updates for release notes. Security: CVE-2024-7348 --- diff --git a/doc/src/sgml/release-12.sgml b/doc/src/sgml/release-12.sgml index e5b7206d448..e59b91378da 100644 --- a/doc/src/sgml/release-12.sgml +++ b/doc/src/sgml/release-12.sgml @@ -41,6 +41,45 @@ + + Prevent unauthorized code execution + during pg_dump (Masahiko Sawada) + + + + An attacker able to create and drop non-temporary objects could + inject SQL code that would be executed by a + concurrent pg_dump session with the + privileges of the role running pg_dump + (which is often a superuser). The attack involves replacing a + sequence or similar object with a view or foreign table that will + execute malicious code. To prevent this, introduce a new server + parameter restrict_nonsystem_relation_kind that + can disable expansion of non-builtin views as well as access to + foreign tables, and teach pg_dump to set + it when available. Note that the attack is prevented only if + both pg_dump and the server it is dumping + from are new enough to have this fix. + + + + The PostgreSQL Project thanks + Noah Misch for reporting this problem. + (CVE-2024-7348) + + + + +