ALT-PU-2021-3254-1
Package postgresql13 updated to version 13.5-alt1 for branch sisyphus in task 289288.
Closed vulnerabilities
BDU:2021-05535
Уязвимость библиотеки libpq системы управления базами данных PostgreSQL, позволяющая нарушителю реализовать атаку типа «человек посередине»
BDU:2021-05857
Уязвимость системы управления базами данных PostgreSQL, связанная с непринятием мер по шифрованию защищаемых данных, позволяющая нарушителю реализовать атаку типа «человек посередине»
BDU:2021-05996
Уязвимость системы управления базами данных PostgreSQL, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2021-23214
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
- https://bugzilla.redhat.com/show_bug.cgi?id=2022666
- https://bugzilla.redhat.com/show_bug.cgi?id=2022666
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=28e24125541545483093819efae9bca603441951
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=28e24125541545483093819efae9bca603441951
- https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951
- https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951
- GLSA-202211-04
- GLSA-202211-04
- https://www.postgresql.org/support/security/CVE-2021-23214/
- https://www.postgresql.org/support/security/CVE-2021-23214/
Modified: 2024-11-21
CVE-2021-23222
A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.
- https://bugzilla.redhat.com/show_bug.cgi?id=2022675
- https://bugzilla.redhat.com/show_bug.cgi?id=2022675
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commitdiff%3Bh=d83cdfdca9d918bbbd6bb209139b94c954da7228
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commitdiff%3Bh=d83cdfdca9d918bbbd6bb209139b94c954da7228
- https://github.com/postgres/postgres/commit/160c0258802d10b0600d7671b1bbea55d8e17d45
- https://github.com/postgres/postgres/commit/160c0258802d10b0600d7671b1bbea55d8e17d45
- GLSA-202211-04
- GLSA-202211-04
- https://www.postgresql.org/support/security/CVE-2021-23222/
- https://www.postgresql.org/support/security/CVE-2021-23222/
Modified: 2024-11-21
CVE-2021-43767
Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.