3636 <listitem>
3737<!--
3838Author: Tom Lane <tgl@sss.pgh.pa.us>
39+ Branch: master [f02b9085a] 2021-05-10 10:44:38 -0400
40+ Branch: REL_13_STABLE [467395bfd] 2021-05-10 10:44:38 -0400
41+ Branch: REL_12_STABLE [3b0f6a7ae] 2021-05-10 10:44:38 -0400
42+ Branch: REL_11_STABLE [06bfbe854] 2021-05-10 10:44:38 -0400
43+ Branch: REL_10_STABLE [2fb809d3e] 2021-05-10 10:44:38 -0400
44+ Branch: REL9_6_STABLE [0c1caa48d] 2021-05-10 10:44:38 -0400
45+ -->
46+ <para>
47+ Prevent integer overflows in array subscripting calculations
48+ (Tom Lane)
49+ </para>
50+
51+ <para>
52+ The array code previously did not complain about cases where an
53+ array's lower bound plus length overflows an integer. This resulted
54+ in later entries in the array becoming inaccessible (since their
55+ subscripts could not be written as integers), but more importantly
56+ it confused subsequent assignment operations. This could lead to
57+ memory overwrites, with ensuing crashes or unwanted data
58+ modifications.
59+ (CVE-2021-32027)
60+ </para>
61+ </listitem>
62+
63+ <listitem>
64+ <!--
65+ Author: Tom Lane <tgl@sss.pgh.pa.us>
66+ Branch: master [049e1e2ed] 2021-05-10 11:02:29 -0400
67+ Branch: REL_13_STABLE [4a8656a7e] 2021-05-10 11:02:29 -0400
68+ Branch: REL_12_STABLE [a5fa3e067] 2021-05-10 11:02:29 -0400
69+ Branch: REL_11_STABLE [b7d1f32ff] 2021-05-10 11:02:29 -0400
70+ Branch: REL_10_STABLE [52a441362] 2021-05-10 11:02:30 -0400
71+ Branch: REL9_6_STABLE [0fcb8e2e0] 2021-05-10 11:02:30 -0400
72+ -->
73+ <para>
74+ Fix mishandling of <quote>junk</quote> columns in <literal>INSERT
75+ ... ON CONFLICT ... UPDATE</literal> target lists (Tom Lane)
76+ </para>
77+
78+ <para>
79+ If the <literal>UPDATE</literal> list contains any multi-column
80+ sub-selects (which give rise to junk columns in addition to the
81+ results proper), the <literal>UPDATE</literal> path would end up
82+ storing tuples that include the values of the extra junk columns.
83+ That's fairly harmless in the short run, but if new columns are
84+ added to the table then the values would become accessible, possibly
85+ leading to malfunctions if they don't match the datatypes of the
86+ added columns.
87+ </para>
88+
89+ <para>
90+ In addition, in versions supporting cross-partition updates,
91+ a cross-partition update triggered by such a case had the reverse
92+ problem: the junk columns were removed from the target list,
93+ typically causing an immediate crash due to malfunction of the
94+ multi-column sub-select mechanism.
95+ (CVE-2021-32028)
96+ </para>
97+ </listitem>
98+
99+ <listitem>
100+ <!--
101+ Author: Tom Lane <tgl@sss.pgh.pa.us>
39102Branch: REL_13_STABLE [a71cfc56b] 2021-04-22 11:46:41 -0400
40103Branch: REL_12_STABLE [3fb93103a] 2021-04-22 11:46:41 -0400
41104Branch: REL_11_STABLE [27835b547] 2021-04-22 11:46:41 -0400
@@ -58,6 +121,7 @@ Branch: REL_12_STABLE [05ce4bf8b] 2021-04-22 17:30:42 -0400
58121 could produce errors or wrong answers. No error is observed unless
59122 the <command>UPDATE</command> involves other tables being joined to
60123 the target table.
124+ (CVE-2021-32029)
61125 </para>
62126 </listitem>
63127
@@ -689,6 +753,9 @@ Branch: REL_13_STABLE [d4b667e93] 2021-02-18 23:28:58 +0900
689753Author: Peter Eisentraut <peter@eisentraut.org>
690754Branch: master [b94409a02] 2021-05-03 12:18:27 +0200
691755Branch: REL_13_STABLE [e48ce7ef0] 2021-05-03 21:01:09 +0200
756+ Author: Peter Eisentraut <peter@eisentraut.org>
757+ Branch: master [fa8fbadb9] 2021-05-10 11:40:03 +0200
758+ Branch: REL_13_STABLE [0d204a4b0] 2021-05-10 13:56:21 +0200
692759-->
693760 <para>
694761 Reduce the overhead of dtrace probes for LWLock operations, when