pgpool-II 4.4.9 Documentation | |||
---|---|---|---|
Prev | Up | Appendix A. Release Notes | Next |
Release Date: 2023-01-23
This release contains a security fix.
If following conditions are all met, the password of wd_lifecheck_user is exposed by SHOW POOL STATUS command. The command can be executed by any user who can connect to Pgpool-II. (CVE-2023-22332)
Version 3.3 or later.
use_watchdog is on.
wd_lifecheck_method is query.
A plain text password is set to wd_lifecheck_password.
In this case it is strongly recommended to upgrade to this version (we do not expose wd_lifecheck_password in show pool_status command any more), or use one of following workarounds.
Workarounds for 4.0.x to 4.4.x users:
Disable watchdog. Set use_watchdog to off.
Change wd_lifecheck_method to heartbeat.
Set an empty string to wd_lifecheck_password. This will use password in the pool_passwd file.
Set an AES encrypted password to wd_lifecheck_password.
In any case we recommend to change wd_lifecheck_password in PostgreSQL.
Workarounds for 3.0.x to 3.7.x users:
Disable watchdog. Set use_watchdog to off.
Change wd_lifecheck_method to heartbeat.
In any case we recommend to change wd_lifecheck_password in PostgreSQL.
Please note that Pgpool-II 3.7.x or before are end of life and no minor updates are provided for those versions.
Do not expose wd_lifecheck_password in SHOW POOL STATUS, pcp_pool_status and pgpool_adm_pcp_pool_status commands. (CVE-2023-22332) (Bo Peng)
Change the default value for wd_lifecheck_password to empty string as documented. (Bo Peng)
Fix compiler warning in pgpool-regclass.c. (Florian Weimer, Tatsuo Ishii)
Doc: Enhance and fix some mistakes in Configurations to use shared memory chapter. (Tatsuo Ishii)