PostgreSQL 14.1, 13.5, 12.9, 11.14, 10.19, and 9.6.24 Released!
The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 14.1, 13.5, 12.9, 11.14, 10.19, and 9.6.24. This release closes two security vulnerabilities and fixes over 40 bugs reported over the last three months.
Additionally, this is the final release of PostgreSQL 9.6. If you are running PostgreSQL 9.6 in a production environment, we suggest that you make plans to upgrade.
For the full list of changes, please review the release notes.
This release closes two security vulnerabilities and fixes over 40 bugs reported over the last three months. Following are the Security Issues fixed in this Minor release:
CVE-2021-23214: Server processes un-encrypted bytes from man-in-the-middle
CVE-2021-23222: libpq processes un-encrypted bytes from man-in-the-middle
Both are the CVEs are relatead to MITM – Man-in-the-middle attack
MITM21 is not an official title, it refers to the vulnerability: “CVE-2021-23214”
PostgreSQL servers allowing connections using “cert” authentication or “trust” authentication with a clientcert option set are vulnerable/affected by CVE-2021-23214. These can be identified by running the following SQL query on a potentially affected server to see if any valid access rules are vulnerable.
SELECT * FROM pg_hba_file_rules
(auth_method = 'cert' OR
(auth_method = 'trust' AND options::text LIKE '%clientcert%'))
AND type like 'host%' AND error is null;
So, it is time for a quick downtime and Minor PostgreSQL upgrade.