A.27. Release 4.2.19

Release Date: 2024-09-09

A.27.1. Overview

This release contains a security fix.

When the query cache (Section 5.13) feature is enabled, it was possible that a database user can read rows from tables that should not be visible for the user through query cache (CVE-2024-45624).

All versions of Pgpool-II older than 4.5.4, 4.4.9, 4.3.12, 4.2.19, 4.1.22, and all older versions that has the query cache feature (the query cache feature was implemented in 3.2) are affected by the vulnerability.

It is strongly recommend to upgrade to Pgpool-II 4.5.4, 4.4.9, 4.3.12, 4.2.19 and 4.1.22 or later. Or you should better turn off the query cache feature.

Note that to fix the vulnerability, some commands (ALTER DATABASE, ALTER ROLE, ALTER TABLE, REVOKE) now invalidate whole query cache data. This may affect the performance when using the query cache feature.

A.27.2. Changes

A.27.3. Bug fixes