Corrective updates have been generated for all supported PostgreSQL branches: 14.1, 13.5, 12.9, 11.14, 10.19 and 9.6.24. Release 9.6.24 will be the last update for the deprecated 9.6 branch. Updates for branch 10 will be generated until November 2022, 11 until November 2023, 12 until November 2024, 13 until November 2025, 14 until November 2026.
The new versions offer more than 40 fixes and fix two vulnerabilities (CVE-2021-23214, CVE-2021-23222) in the server process and the libpq client library. Vulnerabilities allow an attacker to break into an encrypted communication channel through a MITM attack. The attack does not require a valid SSL certificate and can be carried out against systems that require client authentication with a certificate. In the context of a server, the attack allows the substitution of its own SQL query at the time of establishing an encrypted connection between the client and the PostgreSQL server. In the context of libpq, the vulnerability allows an attacker to return a dummy server response to the client. Together, the vulnerabilities allow the extraction of information about the password or other sensitive client data transmitted at an early stage of the connection.
Additionally, we can note the publication by Yandex of a new version of the Odyssey 1.2 proxy server, designed to maintain a pool of open connections to the PostgreSQL DBMS and organize request routing. Odyssey supports running multiple worker processes with multi-threaded handlers, directing to the same server when the client reconnects, the ability to bind connection pools to users and databases. The code is written in C and distributed under the BSD license.
The new version of Odyssey adds protection to block data substitution after SSL session negotiation (allows you to block attacks using the above vulnerabilities CVE-2021-23214 and CVE-2021-23222). Implemented support for PAM and LDAP. Added integration with the Prometheus monitoring system. Improved calculation of statistics parameters to account for the execution time of transactions and queries.
Source: opennet.ru