[ASA-202204-1] postgresql: man-in-the-middle
Arch Linux Security Advisory ASA-202204-1 ========================================= Severity: High Date : 2022-04-04 CVE-ID : CVE-2021-23214 Package : postgresql Type : man-in-the-middle Remote : Yes Link : https://security.archlinux.org/AVG-2546 Summary ======= The package postgresql before version 13.5-1 is vulnerable to man-in- the-middle. Resolution ========== Upgrade to 13.5-1. # pacman -Syu "postgresql>=13.5-1" The problem has been fixed upstream in version 13.5. Workaround ========== None. Description =========== A security issue has been found in PostgreSQL versions 9.6 up to 14. When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the- middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. Impact ====== A man-in-the-middle attacker is able to inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. References ========== https://www.postgresql.org/support/security/CVE-2021-23214/ https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=28e241255... https://security.archlinux.org/CVE-2021-23214
participants (1)
-
Levente Polyak