rdelaage/postgresql
1
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2024-09-05 14:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Last-minute updates for release notes.

Browse Source 
Security: CVE-2021-23214, CVE-2021-23222
This commit is contained in:
Tom Lane 2021-11-08 14:02:16 -05:00
parent a021a1d2ae
commit 965e7b1e85
1 changed files with 69 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
doc/src/sgml/release-11.sgml
View File

@ -25,7 +25,7 @@
<para> <para>
However, note that installations using physical replication should However, note that installations using physical replication should
update standby servers before the primary server, as explained in update standby servers before the primary server, as explained in
the first changelog entry below. the third changelog entry below.
</para> </para>
<para> <para>
@ -48,6 +48,74 @@
<listitem> <listitem>
<!-- <!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [28e241255] 2021-11-08 11:01:43 -0500
Branch: REL_14_STABLE [9d5a76b8d] 2021-11-08 11:01:43 -0500
Branch: REL_13_STABLE [e92ed93e8] 2021-11-08 11:01:43 -0500
Branch: REL_12_STABLE [d1bd26740] 2021-11-08 11:01:43 -0500
Branch: REL_11_STABLE [9394fb828] 2021-11-08 11:01:43 -0500
Branch: REL_10_STABLE [9ae0f1112] 2021-11-08 11:01:43 -0500
Branch: REL9_6_STABLE [046c2c846] 2021-11-08 11:01:43 -0500
-->
<para>
Make the server reject extraneous data after an SSL or GSS
encryption handshake (Tom Lane)
</para>
<para>
A man-in-the-middle with the ability to inject data into the TCP
connection could stuff some cleartext data into the start of a
supposedly encryption-protected database session.
This could be abused to send faked SQL commands to the server,
although that would only work if the server did not demand any
authentication data. (However, a server relying on SSL certificate
authentication might well not do so.)
</para>
<para>
The <productname>PostgreSQL</productname> Project thanks
Jacob Champion for reporting this problem.
(CVE-2021-23214)
</para>
</listitem>
<listitem>
<!--
Author: Tom Lane <tgl@sss.pgh.pa.us>
Branch: master [160c02588] 2021-11-08 11:14:56 -0500
Branch: REL_14_STABLE [30547d791] 2021-11-08 11:14:56 -0500
Branch: REL_13_STABLE [844b31692] 2021-11-08 11:14:56 -0500
Branch: REL_12_STABLE [36bb95ef2] 2021-11-08 11:14:56 -0500
Branch: REL_11_STABLE [a021a1d2a] 2021-11-08 11:14:56 -0500
Branch: REL_10_STABLE [e65d9c8cd] 2021-11-08 11:14:56 -0500
Branch: REL9_6_STABLE [d83cdfdca] 2021-11-08 11:14:57 -0500
-->
<para>
Make <application>libpq</application> reject extraneous data after
an SSL or GSS encryption handshake (Tom Lane)
</para>
<para>
A man-in-the-middle with the ability to inject data into the TCP
connection could stuff some cleartext data into the start of a
supposedly encryption-protected database session.
This could probably be abused to inject faked responses to the
client's first few queries, although other details of libpq's
behavior make that harder than it sounds. A different line of
attack is to exfiltrate the client's password, or other sensitive
data that might be sent early in the session. That has been shown
to be possible with a server vulnerable to CVE-2021-23214.
</para>
<para>
The <productname>PostgreSQL</productname> Project thanks
Jacob Champion for reporting this problem.
(CVE-2021-23222)
</para>
</listitem>
<listitem>
<!--
Author: Alvaro Herrera <alvherre@alvh.no-ip.org> Author: Alvaro Herrera <alvherre@alvh.no-ip.org>
Branch: master [ff9f111bc] 2021-09-29 11:21:51 -0300 Branch: master [ff9f111bc] 2021-09-29 11:21:51 -0300
Branch: REL_14_STABLE [64a8687a6] 2021-09-29 11:41:01 -0300 Branch: REL_14_STABLE [64a8687a6] 2021-09-29 11:41:01 -0300