ALT-PU-2021-3600-1
Package postgresql12 updated to version 12.9-alt0.M90P.1 for branch c9f2 in task 292389.
Closed vulnerabilities
BDU:2021-04174
Уязвимость системы управления базами данных PostgreSQL, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации или вызвать отказ в обслуживании
BDU:2021-05535
Уязвимость библиотеки libpq системы управления базами данных PostgreSQL, позволяющая нарушителю реализовать атаку типа «человек посередине»
BDU:2021-05857
Уязвимость системы управления базами данных PostgreSQL, связанная с непринятием мер по шифрованию защищаемых данных, позволяющая нарушителю реализовать атаку типа «человек посередине»
BDU:2021-05996
Уязвимость системы управления базами данных PostgreSQL, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2021-23214
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
- https://bugzilla.redhat.com/show_bug.cgi?id=2022666
- https://bugzilla.redhat.com/show_bug.cgi?id=2022666
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=28e24125541545483093819efae9bca603441951
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=28e24125541545483093819efae9bca603441951
- https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951
- https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951
- GLSA-202211-04
- GLSA-202211-04
- https://www.postgresql.org/support/security/CVE-2021-23214/
- https://www.postgresql.org/support/security/CVE-2021-23214/
Modified: 2024-11-21
CVE-2021-23222
A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.
- https://bugzilla.redhat.com/show_bug.cgi?id=2022675
- https://bugzilla.redhat.com/show_bug.cgi?id=2022675
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commitdiff%3Bh=d83cdfdca9d918bbbd6bb209139b94c954da7228
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commitdiff%3Bh=d83cdfdca9d918bbbd6bb209139b94c954da7228
- https://github.com/postgres/postgres/commit/160c0258802d10b0600d7671b1bbea55d8e17d45
- https://github.com/postgres/postgres/commit/160c0258802d10b0600d7671b1bbea55d8e17d45
- GLSA-202211-04
- GLSA-202211-04
- https://www.postgresql.org/support/security/CVE-2021-23222/
- https://www.postgresql.org/support/security/CVE-2021-23222/
Modified: 2024-11-21
CVE-2021-3677
A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.
- https://bugzilla.redhat.com/show_bug.cgi?id=2001857
- https://bugzilla.redhat.com/show_bug.cgi?id=2001857
- GLSA-202211-04
- GLSA-202211-04
- https://security.netapp.com/advisory/ntap-20220407-0008/
- https://security.netapp.com/advisory/ntap-20220407-0008/
- https://www.postgresql.org/support/security/CVE-2021-3677/
- https://www.postgresql.org/support/security/CVE-2021-3677/
Modified: 2024-11-21
CVE-2021-43767
Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.