|
33 | 33 |
|
34 | 34 | <itemizedlist> |
35 | 35 |
|
| 36 | + <listitem> |
| 37 | + <para> |
| 38 | + Ensure that all temporary files made |
| 39 | + by <application>pg_upgrade</application> are non-world-readable |
| 40 | + (Tom Lane, Noah Misch) |
| 41 | + </para> |
| 42 | + |
| 43 | + <para> |
| 44 | + <application>pg_upgrade</application> normally restricts its |
| 45 | + temporary files to be readable and writable only by the calling user. |
| 46 | + But the temporary file containing <literal>pg_dumpall -g</literal> |
| 47 | + output would be group- or world-readable, or even writable, if the |
| 48 | + user's <literal>umask</literal> setting allows. In typical usage on |
| 49 | + multi-user machines, the <literal>umask</literal> and/or the working |
| 50 | + directory's permissions would be tight enough to prevent problems; |
| 51 | + but there may be people using <application>pg_upgrade</application> |
| 52 | + in scenarios where this oversight would permit disclosure of database |
| 53 | + passwords to unfriendly eyes. |
| 54 | + (CVE-2018-1053) |
| 55 | + </para> |
| 56 | + </listitem> |
| 57 | + |
36 | 58 | <listitem> |
37 | 59 | <para> |
38 | 60 | Fix vacuuming of tuples that were updated while key-share locked |
|