Log message:
postgresql: updated to 14.1, 13.5, 12.9, 11.14, 10.19, 9.6.24
PostgreSQL 14.1, 13.5, 12.9, 11.14, 10.19, and 9.6.24
Security Issues
CVE-2021-23214: Server processes unencrypted bytes from man-in-the-middle
Versions Affected: 9.6 - 14. The security team typically does not test \
unsupported versions, but this problem is quite old.
When the server is configured to use trust authentication with a clientcert \
requirement or to use cert authentication, a man-in-the-middle attacker can \
inject arbitrary SQL queries when a connection is first established, despite the \
use of SSL certificate verification and encryption.
The PostgreSQL project thanks Jacob Champion for reporting this problem.
CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middle
Versions Affected: 9.6 - 14. The security team typically does not test \
unsupported versions, but this problem is quite old.
A man-in-the-middle attacker can inject false responses to the client's first \
few queries, despite the use of SSL certificate verification and encryption.
If more preconditions hold, the attacker can exfiltrate the client's password or \
other confidential data that might be transmitted early in a session. The \
attacker must have a way to trick the client's intended server into making the \
confidential data accessible to the attacker. A known implementation having that \
property is a PostgreSQL configuration vulnerable to CVE-2021-23214.
As with any exploitation of CVE-2021-23214, the server must be using trust \
authentication with a clientcert requirement or using cert authentication. To \
disclose a password, the client must be in possession of a password, which is \
atypical when using an authentication configuration vulnerable to \
CVE-2021-23214. The attacker must have some other way to access the server to \
retrieve the exfiltrated data (a valid, unprivileged login account would be \
sufficient).
The PostgreSQL project thanks Jacob Champion for reporting this problem.
Bug Fixes and Improvements
This update fixes over 40 bugs that were reported in the last several months. \
The issues listed below affect PostgreSQL 14. Some of these issues may also \
affect other supported versions of PostgreSQL.
Some of these fixes include:
Fix physical replication for cases where the primary crashes after shipping a \
WAL segment that ends with a partial WAL record. When applying this update, \
update your standby servers before the primary so that they will be ready to \
handle the fix if the primary happens to crash.
Fix parallel VACUUM so that it will process indexes below the \
min_parallel_index_scan_size threshold if the table has at least two indexes \
that are above that size. This problem does not affect autovacuum. If you are \
affected by this issue, you should reindex any manually-vacuumed tables.
Fix causes of CREATE INDEX CONCURRENTLY and REINDEX CONCURRENTLY writing corrupt \
indexes. You should reindex any concurrently-built indexes.
Fix for attaching/detaching a partition that could allow certain INSERT/UPDATE \
queries to misbehave in active sessions.
Fix for creating a new range type with CREATE TYPE that could cause problems for \
later event triggers or subsequent executions of the CREATE TYPE command.
Fix updates of element fields in arrays of a domain that is a part of a composite.
Disallow the combination of FETCH FIRST WITH TIES and FOR UPDATE SKIP LOCKED.
Fix corner-case loss of precision in the numeric power() function.
Fix restoration of a Portal's snapshot inside a subtransaction, which could lead \
to a crash. For example, this could occur in PL/pgSQL when a COMMIT is \
immediately followed by a BEGIN ... EXCEPTION block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot. This \
could occur if a replication slot was created then rolled back, and then another \
replication slot was created in the same session.
Fix for "overflowed-subtransaction" wraparound tracking on standby \
servers that could lead to performance degradation.
Ensure that prepared transactions are properly accounted for during promotion of \
a standby server.
Ensure that the correct lock level is used when renaming a table.
Avoid crash when dropping a role that owns objects being dropped concurrently.
Disallow setting huge_pages to on when shared_memory_type is sysv
Fix query type checking in the PL/pgSQL RETURN QUERY.
Several fixes for pg_dump, including the ability to dump non-global default \
privileges correctly.
Use the CLDR project's data to map Windows time zone names to IANA time zones.
This update also contains tzdata release 2021e for DST law changes in Fiji, \
Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook \
Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the \
following zones have been merged into nearby, more-populous zones whose clocks \
have agreed with them since 1970: Africa/Accra, America/Atikokan, \
America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, \
America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all \
these cases, the previous zone name remains as an alias.
|