Complete release notes available at: https://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/ *CVE-2021-23214: Server processes unencrypted bytes from man-in-the-middle* Versions Affected: 9.6 - 14. The security team typically does not test unsupported versions, but this problem is quite old. When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. The PostgreSQL project thanks Jacob Champion for reporting this problem. *CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middle* Versions Affected: 9.6 - 14. The security team typically does not test unsupported versions, but this problem is quite old. A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client's intended server into making the confidential data accessible to the attacker. A known implementation having that property is a PostgreSQL configuration vulnerable to CVE-2021-23214. As with any exploitation of CVE-2021-23214, the server must be using trust authentication with a clientcert requirement or using cert authentication. To disclose a password, the client must be in possession of a password, which is atypical when using an authentication configuration vulnerable to CVE-2021-23214. The attacker must have some other way to access the server to retrieve the exfiltrated data (a valid, unprivileged login account would be sufficient). The PostgreSQL project thanks Jacob Champion for reporting this problem. ===================================================================== Please stabilize the following packages: =dev-db/postgresql-9.6.24 ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-10.19 ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-11.14 ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-12.9 ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-13.5 ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86
Unable to check for sanity: > no match for package: dev-db/postgresql-10.19
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ac98e53d0345baa54143f226630a9512137c0c6 commit 3ac98e53d0345baa54143f226630a9512137c0c6 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2021-11-11 17:48:05 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2021-11-11 18:04:44 +0000 dev-db/postgresql: Security bump Versions bumped to: - 14.1 - 13.5 - 12.9 - 11.14 - 10.19 - 9.6.24 This is the final release of 9.6. 9.6 will be removed 30 days after the next regular release cycle or security release, whichever is first. Complete release notes available at: https://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/ Security fixes: - CVE-2021-23214: Server processes unencrypted bytes from man-in-the-middle - CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middle Bug: https://bugs.gentoo.org/823125 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> dev-db/postgresql/postgresql-10.19.ebuild | 458 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-11.14.ebuild | 455 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-12.9.ebuild | 455 +++++++++++++++++++++++++++ dev-db/postgresql/postgresql-13.5.ebuild | 467 ++++++++++++++++++++++++++++ dev-db/postgresql/postgresql-9.6.24.ebuild | 479 +++++++++++++++++++++++++++++ 5 files changed, 2314 insertions(+)
All sanity-check issues have been resolved
What I use to test these packages: for p in postgresql-{9.6.24,10.19,11.14,12.9,13.5}.ebuild; do ebuild ${p} clean USE="-server" ebuild ${p} compile || break ebuild ${p} clean USE="server" FEATURES="userpriv test" LC_ALL="C" ebuild ${p} install || break ebuild ${p} clean done
Maybe I misunderstand the process here but it seems 14.1 has not been updated. Is it still coming?
(In reply to Holger Hoffstätte from comment #5) > Maybe I misunderstand the process here but it seems 14.1 has not been > updated. Is it still coming? I'm sorry. I should have explicitly stated that 14.1 is /not/ eligible for a rapid stable as 14.0 hasn't been stabled.
sparc done
amd64 done
x86 done
ppc done
ppc64 done
Keywords are not fully specified and arches are not CC-ed for the following packages: - =dev-db/postgresql-10.19 - =dev-db/postgresql-11.14 - =dev-db/postgresql-12.9 - =dev-db/postgresql-13.5 - =dev-db/postgresql-9.6.24
Affected packages removed. origin/master cf21ef6300a1912904f4de29896b89a61286120c Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: Thu Nov 18 10:11:49 2021 -0500 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: Thu Nov 18 10:11:49 2021 -0500 Parent: 1e94da60af1 dev-db/postgresql: Actually bump to 14.1 Merged: master Contained: master dev-db/postgresql: Cleanup insecure Bugs: https://bugs.gentoo.org/823125 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> 12 files changed, 5107 deletions(-) dev-db/postgresql/Manifest | 11 - dev-db/postgresql/postgresql-10.17-r2.ebuild | 459 ------------------------ dev-db/postgresql/postgresql-10.18.ebuild | 458 ------------------------ dev-db/postgresql/postgresql-11.12.ebuild | 455 ------------------------ dev-db/postgresql/postgresql-11.13.ebuild | 455 ------------------------ dev-db/postgresql/postgresql-12.7.ebuild | 455 ------------------------ dev-db/postgresql/postgresql-12.8.ebuild | 455 ------------------------ dev-db/postgresql/postgresql-13.3.ebuild | 467 ------------------------- dev-db/postgresql/postgresql-13.4.ebuild | 467 ------------------------- dev-db/postgresql/postgresql-14.0.ebuild | 467 ------------------------- dev-db/postgresql/postgresql-9.6.22-r2.ebuild | 479 -------------------------- dev-db/postgresql/postgresql-9.6.23.ebuild | 479 --------------------------
Thanks!
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=694f26b01e42989d9051936ddeae825e13b4acb3 commit 694f26b01e42989d9051936ddeae825e13b4acb3 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-11-19 03:33:11 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-22 03:59:39 +0000 [ GLSA 202211-04 ] PostgreSQL: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/793734 Bug: https://bugs.gentoo.org/808984 Bug: https://bugs.gentoo.org/823125 Bug: https://bugs.gentoo.org/865255 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202211-04.xml | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+)
GLSA released, all done!
