PostgreSQL Minor release – Nov 2021

PostgreSQL 14.1, 13.5, 12.9, 11.14, 10.19, and 9.6.24 Released!

The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 14.1, 13.5, 12.9, 11.14, 10.19, and 9.6.24. This release closes two security vulnerabilities and fixes over 40 bugs reported over the last three months.

Additionally, this is the final release of PostgreSQL 9.6. If you are running PostgreSQL 9.6 in a production environment, we suggest that you make plans to upgrade.

For the full list of changes, please review the release notes.

This release closes two security vulnerabilities and fixes over 40 bugs reported over the last three months. Following are the Security Issues fixed in this Minor release:

CVE-2021-23214: Server processes un-encrypted bytes from man-in-the-middle

CVE-2021-23222: libpq processes un-encrypted bytes from man-in-the-middle

Both are the CVEs are relatead to MITM – Man-in-the-middle attack

MITM21 is not an official title, it refers to the vulnerability: “CVE-2021-23214”

PostgreSQL servers allowing connections using “cert” authentication or “trust” authentication with a clientcert option set are vulnerable/affected by CVE-2021-23214. These can be identified by running the following SQL query on a potentially affected server to see if any valid access rules are vulnerable.

SELECT * FROM pg_hba_file_rules
WHERE
(auth_method = 'cert' OR
(auth_method = 'trust' AND options::text LIKE '%clientcert%'))
AND type like 'host%' AND error is null;

So, it is time for a quick downtime and Minor PostgreSQL upgrade.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>