Release notes say: A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. (CVE-2022-41862) Affected versions: <dev-db-postgresql-{11.19,12.14,13.10,14.7,15.2} (in their respective slots) Stabilization requested in #903191
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=696842817115e2e1b327a70ef4b538dea4a56278 commit 696842817115e2e1b327a70ef4b538dea4a56278 Author: Patrick Lauer <patrick@gentoo.org> AuthorDate: 2023-03-30 16:43:33 +0000 Commit: Patrick Lauer <patrick@gentoo.org> CommitDate: 2023-03-30 16:44:02 +0000 dev-db/postgresql: drop versions Bug: https://bugs.gentoo.org/903193 Signed-off-by: Patrick Lauer <patrick@gentoo.org> dev-db/postgresql/Manifest | 11 - dev-db/postgresql/postgresql-10.22.ebuild | 453 ----------------------------- dev-db/postgresql/postgresql-11.17.ebuild | 453 ----------------------------- dev-db/postgresql/postgresql-11.18.ebuild | 453 ----------------------------- dev-db/postgresql/postgresql-12.12.ebuild | 453 ----------------------------- dev-db/postgresql/postgresql-12.13.ebuild | 453 ----------------------------- dev-db/postgresql/postgresql-13.8.ebuild | 465 ----------------------------- dev-db/postgresql/postgresql-13.9.ebuild | 465 ----------------------------- dev-db/postgresql/postgresql-14.5.ebuild | 465 ----------------------------- dev-db/postgresql/postgresql-14.6.ebuild | 465 ----------------------------- dev-db/postgresql/postgresql-15.0.ebuild | 467 ------------------------------ dev-db/postgresql/postgresql-15.1.ebuild | 467 ------------------------------ 12 files changed, 5070 deletions(-)
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7240eff2e6b5c1e8d1af9a65cfa3c6c31e355595 commit 7240eff2e6b5c1e8d1af9a65cfa3c6c31e355595 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-07 08:28:46 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-07 08:29:00 +0000 [ GLSA 202408-06 ] PostgreSQL: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/903193 Bug: https://bugs.gentoo.org/912251 Bug: https://bugs.gentoo.org/917153 Bug: https://bugs.gentoo.org/924110 Bug: https://bugs.gentoo.org/931849 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-06.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
