rdelaage/postgresql
1
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2024-09-30 06:11:36 +02:00
Code Issues Packages Projects Releases Wiki Activity
52,511 Commits 36 Branches 606 Tags 423 MiB
C 86%
PLpgSQL 5.5%
Perl 4.1%
Yacc 1.3%
Makefile 0.7%
Other 2.3%
160c025880
Go to file
Tom Lane 160c025880 libpq: reject extraneous data after SSL or GSS encryption handshake. 
libpq collects up to a bufferload of data whenever it reads data from
the socket.  When SSL or GSS encryption is requested during startup,
any additional data received with the server's yes-or-no reply
remained in the buffer, and would be treated as already-decrypted data
once the encryption handshake completed.  Thus, a man-in-the-middle
with the ability to inject data into the TCP connection could stuff
some cleartext data into the start of a supposedly encryption-protected
database session.

This could probably be abused to inject faked responses to the
client's first few queries, although other details of libpq's behavior
make that harder than it sounds.  A different line of attack is to
exfiltrate the client's password, or other sensitive data that might
be sent early in the session.  That has been shown to be possible with
a server vulnerable to CVE-2021-23214.

To fix, throw a protocol-violation error if the internal buffer
is not empty after the encryption handshake.

Our thanks to Jacob Champion for reporting this problem.

Security: CVE-2021-23222
2021-11-08 11:14:56 -05:00
config Adjust configure to insist on Perl version >= 5.8.3. 2021-10-07 14:26:17 -04:00
contrib Fix gist_bool_ops to use gbtreekey2 2021-11-08 01:14:55 +01:00
doc libpq: reject extraneous data after SSL or GSS encryption handshake. 2021-11-08 11:14:56 -05:00
src libpq: reject extraneous data after SSL or GSS encryption handshake. 2021-11-08 11:14:56 -05:00
.dir-locals.el
.editorconfig
.git-blame-ignore-revs Add another old commit to git-blame-ignore-revs. 2021-11-03 17:34:19 -07:00
.gitattributes gitattributes: Add new entry to silence whitespace error 2021-06-05 07:57:31 +02:00
.gitignore
aclocal.m4 Remove configure-time probe for DocBook DTD. 2020-11-30 15:24:13 -05:00
configure Make configure check for minimum required version of IPC::Run. 2021-10-11 16:49:49 -04:00
configure.ac Make configure check for minimum required version of IPC::Run. 2021-10-11 16:49:49 -04:00
COPYRIGHT Update copyright for 2021 2021-01-02 13:06:25 -05:00
GNUmakefile.in add missing tag from commit b8c4261e5e 2021-07-01 15:47:46 -04:00
HISTORY
Makefile
README
README.git

README 

PostgreSQL Database Management System
=====================================

This directory contains the source code distribution of the PostgreSQL
database management system.

PostgreSQL is an advanced object-relational database management system
that supports an extended subset of the SQL standard, including
transactions, foreign keys, subqueries, triggers, user-defined types
and functions.  This distribution also contains C language bindings.

PostgreSQL has many language interfaces, many of which are listed here:

	https://www.postgresql.org/download/

See the file INSTALL for instructions on how to build and install
PostgreSQL.  That file also lists supported operating systems and
hardware platforms and contains information regarding any other
software packages that are required to build or run the PostgreSQL
system.  Copyright and license information can be found in the
file COPYRIGHT.  A comprehensive documentation set is included in this
distribution; it can be read as described in the installation
instructions.

The latest version of this software may be obtained at
https://www.postgresql.org/download/.  For more information look at our
web site located at https://www.postgresql.org/.