However, note that installations using physical replication should
update standby servers before the primary server, as explained in
- the first changelog entry below.
+ the third changelog entry below.
+ Make the server reject extraneous data after an SSL or GSS
+ encryption handshake (Tom Lane)
+
+
+ A man-in-the-middle with the ability to inject data into the TCP
+ connection could stuff some cleartext data into the start of a
+ supposedly encryption-protected database session.
+ This could be abused to send faked SQL commands to the server,
+ although that would only work if the server did not demand any
+ authentication data. (However, a server relying on SSL certificate
+ authentication might well not do so.)
+
+
+ The
PostgreSQL Project thanks
+ Jacob Champion for reporting this problem.
+ (CVE-2021-23214)
+
+
+
+
+
+ Make
libpq reject extraneous data after
+ an SSL or GSS encryption handshake (Tom Lane)
+
+
+ A man-in-the-middle with the ability to inject data into the TCP
+ connection could stuff some cleartext data into the start of a
+ supposedly encryption-protected database session.
+ This could probably be abused to inject faked responses to the
+ client's first few queries, although other details of libpq's
+ behavior make that harder than it sounds. A different line of
+ attack is to exfiltrate the client's password, or other sensitive
+ data that might be sent early in the session. That has been shown
+ to be possible with a server vulnerable to CVE-2021-23214.
+
+
+ The
PostgreSQL Project thanks
+ Jacob Champion for reporting this problem.
+ (CVE-2021-23222)
+
+
+
+
+
+ Avoid choosing the wrong hash equality operator for Memoize plans
+ (David Rowley)
+
+
+ This error could result in crashes or incorrect query results.
+
+
+
+
+
projects / postgresql.git / commitdiff