From 429560193282f2c29a1bb9f28a055c87b7605253 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 5 Aug 2024 14:03:20 -0400 Subject: [PATCH] Last-minute updates for release notes. Security: CVE-2024-7348 --- doc/src/sgml/release-13.sgml | 39 ++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/doc/src/sgml/release-13.sgml b/doc/src/sgml/release-13.sgml index 2c0a48ef391..a85e9971da6 100644 --- a/doc/src/sgml/release-13.sgml +++ b/doc/src/sgml/release-13.sgml @@ -35,6 +35,45 @@ + + Prevent unauthorized code execution + during pg_dump (Masahiko Sawada) + + + + An attacker able to create and drop non-temporary objects could + inject SQL code that would be executed by a + concurrent pg_dump session with the + privileges of the role running pg_dump + (which is often a superuser). The attack involves replacing a + sequence or similar object with a view or foreign table that will + execute malicious code. To prevent this, introduce a new server + parameter restrict_nonsystem_relation_kind that + can disable expansion of non-builtin views as well as access to + foreign tables, and teach pg_dump to set + it when available. Note that the attack is prevented only if + both pg_dump and the server it is dumping + from are new enough to have this fix. + + + + The PostgreSQL Project thanks + Noah Misch for reporting this problem. + (CVE-2024-7348) + + + + +