Date: Thu, 11 Nov 2021 14:37:11 GMT From: Palle Girgensohn <girgen@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: e48db637c06e - main - security/vuxml: Document latest PostgreSQL vulnerability Message-ID: <202111111437.1ABEbB23059925@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by girgen: URL: https://cgit.FreeBSD.org/ports/commit/?id=e48db637c06e4a5580b64ee65a50db63c2fa19f0 commit e48db637c06e4a5580b64ee65a50db63c2fa19f0 Author: Palle Girgensohn <girgen@FreeBSD.org> AuthorDate: 2021-11-10 21:33:26 +0000 Commit: Palle Girgensohn <girgen@FreeBSD.org> CommitDate: 2021-11-11 14:37:01 +0000 security/vuxml: Document latest PostgreSQL vulnerability * CVE-2021-23214 * CVE-2021-23222 --- security/vuxml/vuln-2021.xml | 47 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index a1e3a9c26a5b..6622853e0a1e 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,50 @@ + <vuln vid="2ccd71bd-426b-11ec-87db-6cc21735f730"> + <topic>PostgreSQL -- Possible man-in-the-middle attacks</topic> + <affects> + <package> + <name>postgresql14-server</name> + <range><lt>14.1</lt></range> + </package> + <package> + <name>postgresql13-server</name> + <range><lt>13.5</lt></range> + </package> + <package> + <name>postgresql12-server</name> + <range><lt>12.9</lt></range> + </package> + <package> + <name>postgresql11-server</name> + <range><lt>11.14</lt></range> + </package> + <package> + <name>postgresql10-server</name> + <range><lt>10.19</lt></range> + </package> + <package> + <name>postgresql96-server</name> + <range><lt>9.6.24</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The PostgreSQL Project reports:</p> + <blockquote cite="INSERT URL HERE"> + <p> CVE-2021-23214: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.) </p> + <p> CVE-2021-23222: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214. </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-23214</cvename> + <cvename>CVE-2021-23222</cvename> + </references> + <dates> + <discovery>2021-11-08</discovery> + <entry>2021-11-10</entry> + </dates> + </vuln> + <vuln vid="bfea59e0-41ee-11ec-9bac-589cfc007716"> <topic>puppet -- Silent Configuration Failure</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202111111437.1ABEbB23059925>