EDB PgPool-II 4.2.6 release notes v4

Released: 01 Dec 2021

EDB Pgpool-II 4.2.6 includes the following upstream merge and security fix:

Type	Description
Upstream merge	Merged with community Pgpool-II 4.2.6. See the community Release Notes for details.
Security fix	Reject extraneous data after SSL encryption handshake. In the server-side implementation of SSL negotiation, it was possible for a man-in-the-middle attacker to inject arbitrary SQL commands if it was configured to use cert authentication or hostssl + trust. This addresses PostgreSQL's CVE-2021-23214. In the client-side implementation of SSL negotiation, it was possible for a man-in-the-middle attacker to inject arbitrary responses if the database server is using trust authentication with a clientcert requirement. It is not possible with cert authentication because Pgpool-II does not implement the cert authentication between Pgpool-II and PostgreSQL. This addresses PostgreSQL's CVE-2021-23222.

Type

Description

Upstream merge

Merged with community Pgpool-II 4.2.6. See the community Release Notes for details.

Security fix

Reject extraneous data after SSL encryption handshake.

In the server-side implementation of SSL negotiation, it was possible for a man-in-the-middle attacker to inject arbitrary SQL commands if it was configured to use cert authentication or hostssl + trust. This addresses PostgreSQL's CVE-2021-23214.

In the client-side implementation of SSL negotiation, it was possible for a man-in-the-middle attacker to inject arbitrary responses if the database server is using trust authentication with a clientcert requirement. It is not possible with cert authentication because Pgpool-II does not implement the cert authentication between Pgpool-II and PostgreSQL. This addresses PostgreSQL's CVE-2021-23222.

Note

This security fix is also available in EDB Pgpool-II 4.1.9, 4.0.16, 3.7.21, and 3.6.28.

← Prev

EDB PgPool-II 4.2.9 release notes

EDB PgPool-II 4.2.5 release notes

EDB PgPool-II 4.2.6 release notes v4

Note

← Prev

Next →