rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
52,510 Commits 36 Branches 606 Tags 423 MiB
C 86%
PLpgSQL 5.5%
Perl 4.1%
Yacc 1.3%
Makefile 0.7%
Other 2.3%
Go to file
Tom Lane 28e2412554 Reject extraneous data after SSL or GSS encryption handshake. 
The server collects up to a bufferload of data whenever it reads data
from the client socket.  When SSL or GSS encryption is requested
during startup, any additional data received with the initial
request message remained in the buffer, and would be treated as
already-decrypted data once the encryption handshake completed.
Thus, a man-in-the-middle with the ability to inject data into the
TCP connection could stuff some cleartext data into the start of
a supposedly encryption-protected database session.

This could be abused to send faked SQL commands to the server,
although that would only work if the server did not demand any
authentication data.  (However, a server relying on SSL certificate
authentication might well not do so.)

To fix, throw a protocol-violation error if the internal buffer
is not empty after the encryption handshake.

Our thanks to Jacob Champion for reporting this problem.

Security: CVE-2021-23214
 		2021-11-08 11:01:43 -05:00
config Adjust configure to insist on Perl version >= 5.8.3. 2021-10-07 14:26:17 -04:00
contrib Fix gist_bool_ops to use gbtreekey2 2021-11-08 01:14:55 +01:00
doc Disallow making an empty lexeme via array_to_tsvector(). 2021-11-06 13:28:53 -04:00
src Reject extraneous data after SSL or GSS encryption handshake. 2021-11-08 11:01:43 -05:00
.dir-locals.el Make Emacs perl-mode indent more like perltidy. 2019-01-13 11:32:31 -08:00
.editorconfig Add .editorconfig 2019-12-18 09:13:13 +01:00
.git-blame-ignore-revs Add another old commit to git-blame-ignore-revs. 2021-11-03 17:34:19 -07:00
.gitattributes gitattributes: Add new entry to silence whitespace error 2021-06-05 07:57:31 +02:00
.gitignore Support for optimizing and emitting code in LLVM JIT provider. 2018-03-22 11:05:22 -07:00
COPYRIGHT Update copyright for 2021 2021-01-02 13:06:25 -05:00
GNUmakefile.in add missing tag from commit b8c4261e5e 2021-07-01 15:47:46 -04:00
HISTORY Canonicalize some URLs 2020-02-10 20:47:50 +01:00
Makefile Don't unset MAKEFLAGS in non-GNU Makefile. 2019-06-25 09:36:21 +12:00
README Canonicalize some URLs 2020-02-10 20:47:50 +01:00
README.git Canonicalize some URLs 2020-02-10 20:47:50 +01:00
aclocal.m4 Remove configure-time probe for DocBook DTD. 2020-11-30 15:24:13 -05:00
configure Make configure check for minimum required version of IPC::Run. 2021-10-11 16:49:49 -04:00
configure.ac Make configure check for minimum required version of IPC::Run. 2021-10-11 16:49:49 -04:00

README 

PostgreSQL Database Management System
=====================================

This directory contains the source code distribution of the PostgreSQL
database management system.

PostgreSQL is an advanced object-relational database management system
that supports an extended subset of the SQL standard, including
transactions, foreign keys, subqueries, triggers, user-defined types
and functions.  This distribution also contains C language bindings.

PostgreSQL has many language interfaces, many of which are listed here:

	https://www.postgresql.org/download/

See the file INSTALL for instructions on how to build and install
PostgreSQL.  That file also lists supported operating systems and
hardware platforms and contains information regarding any other
software packages that are required to build or run the PostgreSQL
system.  Copyright and license information can be found in the
file COPYRIGHT.  A comprehensive documentation set is included in this
distribution; it can be read as described in the installation
instructions.

The latest version of this software may be obtained at
https://www.postgresql.org/download/.  For more information look at our
web site located at https://www.postgresql.org/.