rdelaage/postgresql
1
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2024-08-23 03:00:41 +02:00
Code Issues Packages Projects Releases Wiki Activity
47,177 Commits 36 Branches 606 Tags 423 MiB
C 86%
PLpgSQL 5.5%
Perl 4.1%
Yacc 1.3%
Makefile 0.7%
Other 2.3%
a021a1d2ae
Go to file
Tom Lane a021a1d2ae libpq: reject extraneous data after SSL or GSS encryption handshake. 
libpq collects up to a bufferload of data whenever it reads data from
the socket.  When SSL or GSS encryption is requested during startup,
any additional data received with the server's yes-or-no reply
remained in the buffer, and would be treated as already-decrypted data
once the encryption handshake completed.  Thus, a man-in-the-middle
with the ability to inject data into the TCP connection could stuff
some cleartext data into the start of a supposedly encryption-protected
database session.

This could probably be abused to inject faked responses to the
client's first few queries, although other details of libpq's behavior
make that harder than it sounds.  A different line of attack is to
exfiltrate the client's password, or other sensitive data that might
be sent early in the session.  That has been shown to be possible with
a server vulnerable to CVE-2021-23214.

To fix, throw a protocol-violation error if the internal buffer
is not empty after the encryption handshake.

Our thanks to Jacob Champion for reporting this problem.

Security: CVE-2021-23222
2021-11-08 11:14:56 -05:00
config jit: configure: Explicitly reference 'native' component. 2020-12-07 18:40:27 -08:00
contrib Don't try to read a multi-GB pg_stat_statements file in one call. 2021-10-31 19:13:48 -04:00
doc libpq: reject extraneous data after SSL or GSS encryption handshake. 2021-11-08 11:14:56 -05:00
src libpq: reject extraneous data after SSL or GSS encryption handshake. 2021-11-08 11:14:56 -05:00
.dir-locals.el Make Emacs perl-mode indent more like perltidy. 2019-01-13 11:32:36 -08:00
.gitattributes Remove contrib/tsearch2. 2017-02-13 11:06:11 -05:00
.gitignore Support for optimizing and emitting code in LLVM JIT provider. 2018-03-22 11:05:22 -07:00
aclocal.m4 Remove configure-time probe for DocBook DTD. 2020-11-30 15:24:13 -05:00
configure Stamp 11.13. 2021-08-09 16:52:43 -04:00
configure.in Stamp 11.13. 2021-08-09 16:52:43 -04:00
COPYRIGHT Update copyright for 2021 2021-01-02 13:06:24 -05:00
GNUmakefile.in Add new make targets world-bin and install-world-bin 2021-07-01 14:52:40 -04:00
HISTORY Change documentation references to PG website to use https: not http: 2017-05-20 21:50:47 -04:00
Makefile Don't unset MAKEFLAGS in non-GNU Makefile. 2019-06-25 09:40:20 +12:00
README Change documentation references to PG website to use https: not http: 2017-05-20 21:50:47 -04:00
README.git Change documentation references to PG website to use https: not http: 2017-05-20 21:50:47 -04:00

README 

PostgreSQL Database Management System
=====================================

This directory contains the source code distribution of the PostgreSQL
database management system.

PostgreSQL is an advanced object-relational database management system
that supports an extended subset of the SQL standard, including
transactions, foreign keys, subqueries, triggers, user-defined types
and functions.  This distribution also contains C language bindings.

PostgreSQL has many language interfaces, many of which are listed here:

	https://www.postgresql.org/download

See the file INSTALL for instructions on how to build and install
PostgreSQL.  That file also lists supported operating systems and
hardware platforms and contains information regarding any other
software packages that are required to build or run the PostgreSQL
system.  Copyright and license information can be found in the
file COPYRIGHT.  A comprehensive documentation set is included in this
distribution; it can be read as described in the installation
instructions.

The latest version of this software may be obtained at
https://www.postgresql.org/download/.  For more information look at our
web site located at https://www.postgresql.org/.