Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 823125 (CVE-2021-23214, CVE-2021-23222) - <dev-db/postgresql-{9.6.24,10.19,11.14,12.9,13.5,14.1}: Multiple vulnerabilities (CVE-2021-{23214,23222})
Summary: <dev-db/postgresql-{9.6.24,10.19,11.14,12.9,13.5,14.1}: Multiple vulnerabilit...
Status: RESOLVED FIXED
Alias: CVE-2021-23214, CVE-2021-23222
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 823662
Blocks: CVE-2021-3677
  Show dependency tree
 
Reported: 2021-11-11 17:53 UTC by Aaron W. Swenson
Modified: 2022-11-22 04:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: No


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron W. Swenson gentoo-dev 2021-11-11 17:53:40 UTC
Complete release notes available at: https://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/

*CVE-2021-23214: Server processes unencrypted bytes from man-in-the-middle*

Versions Affected: 9.6 - 14. The security team typically does not test unsupported versions, but this problem is quite old.

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.

The PostgreSQL project thanks Jacob Champion for reporting this problem.

*CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middle*

Versions Affected: 9.6 - 14. The security team typically does not test unsupported versions, but this problem is quite old.

A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.

If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client's intended server into making the confidential data accessible to the attacker. A known implementation having that property is a PostgreSQL configuration vulnerable to CVE-2021-23214.

As with any exploitation of CVE-2021-23214, the server must be using trust authentication with a clientcert requirement or using cert authentication. To disclose a password, the client must be in possession of a password, which is atypical when using an authentication configuration vulnerable to CVE-2021-23214. The attacker must have some other way to access the server to retrieve the exfiltrated data (a valid, unprivileged login account would be sufficient).

The PostgreSQL project thanks Jacob Champion for reporting this problem.


=====================================================================

Please stabilize the following packages:
=dev-db/postgresql-9.6.24 ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-10.19 ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-11.14 ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-12.9 ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-13.5 ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86
Comment 1 NATTkA bot gentoo-dev 2021-11-11 17:56:24 UTC Comment hidden (obsolete)
Comment 2 Larry the Git Cow gentoo-dev 2021-11-11 18:05:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ac98e53d0345baa54143f226630a9512137c0c6

commit 3ac98e53d0345baa54143f226630a9512137c0c6
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2021-11-11 17:48:05 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2021-11-11 18:04:44 +0000

    dev-db/postgresql: Security bump
    
    Versions bumped to:
     - 14.1
     - 13.5
     - 12.9
     - 11.14
     - 10.19
     - 9.6.24
    
    This is the final release of 9.6. 9.6 will be removed 30 days after the next
    regular release cycle or security release, whichever is first.
    
    Complete release notes available at:
    https://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/
    
    Security fixes:
     - CVE-2021-23214: Server processes unencrypted bytes from man-in-the-middle
     - CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middle
    
    Bug: https://bugs.gentoo.org/823125
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/postgresql-10.19.ebuild  | 458 +++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-11.14.ebuild  | 455 +++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-12.9.ebuild   | 455 +++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-13.5.ebuild   | 467 ++++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.6.24.ebuild | 479 +++++++++++++++++++++++++++++
 5 files changed, 2314 insertions(+)
Comment 3 NATTkA bot gentoo-dev 2021-11-11 18:08:28 UTC Comment hidden (obsolete)
Comment 4 Aaron W. Swenson gentoo-dev 2021-11-11 18:12:22 UTC
What I use to test these packages:

for p in postgresql-{9.6.24,10.19,11.14,12.9,13.5}.ebuild; do
  ebuild ${p} clean
  USE="-server" ebuild ${p} compile || break
  ebuild ${p} clean
  USE="server" FEATURES="userpriv test" LC_ALL="C" ebuild ${p} install || break
  ebuild ${p} clean
done
Comment 5 Holger Hoffstätte 2021-11-11 20:36:04 UTC
Maybe I misunderstand the process here but it seems 14.1 has not been updated. Is it still coming?
Comment 6 Aaron W. Swenson gentoo-dev 2021-11-11 20:49:14 UTC
(In reply to Holger Hoffstätte from comment #5)
> Maybe I misunderstand the process here but it seems 14.1 has not been
> updated. Is it still coming?

I'm sorry. I should have explicitly stated that 14.1 is /not/ eligible for a rapid stable as 14.0 hasn't been stabled.
Comment 7 Arthur Zamarin archtester Gentoo Infrastructure gentoo-dev Security 2021-11-12 08:01:01 UTC
sparc done
Comment 8 Jakov Smolić archtester gentoo-dev 2021-11-12 09:17:34 UTC
amd64 done
Comment 9 Jakov Smolić archtester gentoo-dev 2021-11-12 09:52:33 UTC
x86 done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-13 11:34:01 UTC
ppc done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-13 11:34:05 UTC
ppc64 done
Comment 12 NATTkA bot gentoo-dev 2021-11-14 03:40:28 UTC
Keywords are not fully specified and arches are not CC-ed for the following packages:

- =dev-db/postgresql-10.19
- =dev-db/postgresql-11.14
- =dev-db/postgresql-12.9
- =dev-db/postgresql-13.5
- =dev-db/postgresql-9.6.24
Comment 13 Aaron W. Swenson gentoo-dev 2021-11-18 15:14:48 UTC
Affected packages removed.

origin/master cf21ef6300a1912904f4de29896b89a61286120c
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: Thu Nov 18 10:11:49 2021 -0500
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: Thu Nov 18 10:11:49 2021 -0500

Parent:     1e94da60af1 dev-db/postgresql: Actually bump to 14.1
Merged:     master
Contained:  master

dev-db/postgresql: Cleanup insecure

Bugs: https://bugs.gentoo.org/823125
Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

12 files changed, 5107 deletions(-)
dev-db/postgresql/Manifest                    |  11 -
dev-db/postgresql/postgresql-10.17-r2.ebuild  | 459 ------------------------
dev-db/postgresql/postgresql-10.18.ebuild     | 458 ------------------------
dev-db/postgresql/postgresql-11.12.ebuild     | 455 ------------------------
dev-db/postgresql/postgresql-11.13.ebuild     | 455 ------------------------
dev-db/postgresql/postgresql-12.7.ebuild      | 455 ------------------------
dev-db/postgresql/postgresql-12.8.ebuild      | 455 ------------------------
dev-db/postgresql/postgresql-13.3.ebuild      | 467 -------------------------
dev-db/postgresql/postgresql-13.4.ebuild      | 467 -------------------------
dev-db/postgresql/postgresql-14.0.ebuild      | 467 -------------------------
dev-db/postgresql/postgresql-9.6.22-r2.ebuild | 479 --------------------------
dev-db/postgresql/postgresql-9.6.23.ebuild    | 479 --------------------------
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-18 16:17:17 UTC
Thanks!
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 03:00:58 UTC
GLSA request filed.
Comment 16 Larry the Git Cow gentoo-dev 2022-11-22 04:01:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=694f26b01e42989d9051936ddeae825e13b4acb3

commit 694f26b01e42989d9051936ddeae825e13b4acb3
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-11-19 03:33:11 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 03:59:39 +0000

    [ GLSA 202211-04 ] PostgreSQL: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/793734
    Bug: https://bugs.gentoo.org/808984
    Bug: https://bugs.gentoo.org/823125
    Bug: https://bugs.gentoo.org/865255
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202211-04.xml | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 04:03:57 UTC
GLSA released, all done!