Accepted postgresql-11 11.14-0+deb10u1 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 11 Nov 2021 12:53:26 +0100
Source: postgresql-11
Architecture: source
Version: 11.14-0+deb10u1
Distribution: buster-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
postgresql-11 (11.14-0+deb10u1) buster-security; urgency=medium
.
* New upstream security release.
.
+ Make the server and libpq reject extraneous data after an SSL or GSS
encryption handshake (Tom Lane)
.
A man-in-the-middle with the ability to inject data into the TCP
connection could stuff some cleartext data into the start of a
supposedly encryption-protected database session.
.
This could be abused to send faked SQL commands to the server, although
that would only work if the server did not demand any authentication
data. (However, a server relying on SSL certificate authentication
might well not do so.) (CVE-2021-23214)
.
This could probably be abused to inject faked responses to the client's
first few queries, although other details of libpq's behavior make that
harder than it sounds. A different line of attack is to exfiltrate the
client's password, or other sensitive data that might be sent early in
the session. That has been shown to be possible with a server
vulnerable to CVE-2021-23214. (CVE-2021-23222)
.
The PostgreSQL Project thanks Jacob Champion for reporting these
problems.
Checksums-Sha1:
a9e533415d046807fc75263d48d237d52506b153 3745 postgresql-11_11.14-0+deb10u1.dsc
18c8ef5ca8314ce18f1bd10b6cd6f3e4c7099e64 20172910 postgresql-11_11.14.orig.tar.bz2
7ab89fc52a703c73ea2f6ed18c231a3e4a7c2a9b 28084 postgresql-11_11.14-0+deb10u1.debian.tar.xz
Checksums-Sha256:
1315b0b02f2788ecd3aaf0fc581f05316d4fd72c17268453e2d7066082c1584a 3745 postgresql-11_11.14-0+deb10u1.dsc
965c7f4be96fb64f9581852c58c4f05c3812d4ad823c0f3e2bdfe777c162f999 20172910 postgresql-11_11.14.orig.tar.bz2
f2c58526fdfad5cfc96e14bd9df4a24dc3e6335d5ec928ceaa5696e038439d28 28084 postgresql-11_11.14-0+deb10u1.debian.tar.xz
Files:
2fd47da3ba89b8c4902b36e30bdb3c8c 3745 database optional postgresql-11_11.14-0+deb10u1.dsc
53e02a579932a3f1c38f79685ecd36be 20172910 database optional postgresql-11_11.14.orig.tar.bz2
c26e76d3750bc4c95b69dacc21a6baca 28084 database optional postgresql-11_11.14-0+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmGNBU8ACgkQTFprqxLS
p67+rRAAgf+pdtsnmL407QW9d4PsJezaei55UoOL1rnQakandpiUHc17rdVw5Flc
KjN3IqHsjBXg7nHppBPzO/ZJq8M2t/US4kAa4yWfNEANIT5aWq5x3JFck1Z+UEn5
5jOfoHNfveOHaYBNSePmzRGvR6WlFRBU2CCoivovOLS1Wy2l2cW+CRXvnqemDLMo
BA37Fp0a2wrRrvP/Y21HojA6hyuPdlHBTn1e/26sIBeo7xZ59eb09A9lNJNQ0Jty
2uoX+LnSdsJV+9R9jl3U/AcVO4Go+ZIj39ts6Dghlkr5sAaG9HyQqnM5Dwh0PIyx
hsOCSiVHo7iAHlc4P/ew2NiyZUIkUfaWaj9YDTXjackqGa8StlxsCU/Y8nP77eCs
Iysn4lEFXX2C/BKKjbFJOPcm8qk72Wr0jIRzG9ExYqS1bkPHKHjOjgui+9WZ4zti
max1g/sJJWaY48AUM6838q/so7ilu5B18clzHUobYOxmd8OHZ2daBRIPcH6cS+vI
O+b2UL8g9SSNv+Mb0WJTnL1VjWPkuG4WlGG04CvmchuZ2FLglBMQN0/NmkX9iTy1
RvhgUC4XyTwEX5Go8tCNMXfTRvxsYtD1v7NUISFvXw165k6WRerlJoClBgusN4sB
/B5VW2Tq9+MDjcqEVMWzeHbt3poGfPoKlrwsdZkJZRuigksKPmw=
=SmpG
-----END PGP SIGNATURE-----
Reply to: