Version 4.2.6 v4.3

EDB Pgpool-II 4.2.6 includes the following upstream merge and security fix:

TypeDescription
Upstream mergeMerged with community Pgpool-II 4.2.6. See the community Release Notes for details.
Security fixReject extraneous data after SSL encryption handshake.

In the server-side implementation of SSL negotiation, it was possible for a man-in-the-middle attacker to inject arbitrary SQL commands if it was configured to use cert authentication or hostssl + trust. This addresses PostgreSQL's CVE-2021-23214.

In the client-side implementation of SSL negotiation, it was possible for a man-in-the-middle attacker to inject arbitrary responses if the database server is using trust authentication with a clientcert requirement. It is not possible with cert authentication because Pgpool-II does not implement the cert authentication between Pgpool-II and PostgreSQL. This addresses PostgreSQL's CVE-2021-23222.
Note

This security fix is also available in EDB Pgpool-II 4.1.9, 4.0.16, 3.7.21, and 3.6.28.

export const _frontmatter = {"title":"Version 4.2.6"}