Last-minute updates for release notes.

Security: CVE-2021-32027, CVE-2021-32028, CVE-2021-32029

diff --git a/doc/src/sgml/release-9.6.sgml b/doc/src/sgml/release-9.6.sgml
index 127564e1a718aeefd9b044f48a6f0b0ec90f012b..45f421311c30b021a42d0e9d20f334cedde8b0a7 100644 (file)
--- a/doc/src/sgml/release-9.6.sgml
+++ b/doc/src/sgml/release-9.6.sgml
@@ -42,6 +42,69 @@
     <listitem>
 <!--
 Author: Tom Lane <[email protected]>
+Branch: master [f02b9085a] 2021-05-10 10:44:38 -0400
+Branch: REL_13_STABLE [467395bfd] 2021-05-10 10:44:38 -0400
+Branch: REL_12_STABLE [3b0f6a7ae] 2021-05-10 10:44:38 -0400
+Branch: REL_11_STABLE [06bfbe854] 2021-05-10 10:44:38 -0400
+Branch: REL_10_STABLE [2fb809d3e] 2021-05-10 10:44:38 -0400
+Branch: REL9_6_STABLE [0c1caa48d] 2021-05-10 10:44:38 -0400
+-->
+     <para>
+      Prevent integer overflows in array subscripting calculations
+      (Tom Lane)
+     </para>
+
+     <para>
+      The array code previously did not complain about cases where an
+      array's lower bound plus length overflows an integer.  This resulted
+      in later entries in the array becoming inaccessible (since their
+      subscripts could not be written as integers), but more importantly
+      it confused subsequent assignment operations.  This could lead to
+      memory overwrites, with ensuing crashes or unwanted data
+      modifications.
+      (CVE-2021-32027)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <[email protected]>
+Branch: master [049e1e2ed] 2021-05-10 11:02:29 -0400
+Branch: REL_13_STABLE [4a8656a7e] 2021-05-10 11:02:29 -0400
+Branch: REL_12_STABLE [a5fa3e067] 2021-05-10 11:02:29 -0400
+Branch: REL_11_STABLE [b7d1f32ff] 2021-05-10 11:02:29 -0400
+Branch: REL_10_STABLE [52a441362] 2021-05-10 11:02:30 -0400
+Branch: REL9_6_STABLE [0fcb8e2e0] 2021-05-10 11:02:30 -0400
+-->
+     <para>
+      Fix mishandling of <quote>junk</quote> columns in <literal>INSERT
+      ... ON CONFLICT ... UPDATE</literal> target lists (Tom Lane)
+     </para>
+
+     <para>
+      If the <literal>UPDATE</literal> list contains any multi-column
+      sub-selects (which give rise to junk columns in addition to the
+      results proper), the <literal>UPDATE</literal> path would end up
+      storing tuples that include the values of the extra junk columns.
+      That's fairly harmless in the short run, but if new columns are
+      added to the table then the values would become accessible, possibly
+      leading to malfunctions if they don't match the datatypes of the
+      added columns.
+     </para>
+
+     <para>
+      In addition, in versions supporting cross-partition updates,
+      a cross-partition update triggered by such a case had the reverse
+      problem: the junk columns were removed from the target list,
+      typically causing an immediate crash due to malfunction of the
+      multi-column sub-select mechanism.
+      (CVE-2021-32028)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <[email protected]>
 Branch: master [69d5ca484] 2021-04-13 15:10:18 -0400
 Branch: REL_13_STABLE [c39aa1e87] 2021-04-13 15:10:18 -0400
 Branch: REL_12_STABLE [a7fcb6285] 2021-04-13 15:10:18 -0400