[pgpool-committers: 10245] pgpool: Abort SSL negotiation if backend sends an error message.
Tatsuo Ishii
ishii at postgresql.org
Tue Nov 26 22:04:41 JST 2024
Abort SSL negotiation if backend sends an error message.
In the client side implementation of SSL negotiation
(pool_ssl_negotiate_clientserver()), it was possible for a
man-in-the-middle attacker to send a long error message to confuse
Pgpool-II or client while in the SSL negotiation phase. This commit
rejects the negotiation immediately (issue a FATAL error) and exits
the session to prevent such an attack.
This resembles PostgreSQL's CVE-2024-10977.
Backpatch-through: v4.1
Branch
------
V4_3_STABLE
Details
-------
https://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=7fdb8724463671421880796367b8edcf5d5c27d8
Modified Files
--------------
src/utils/pool_ssl.c | 10 ++++++++++
1 file changed, 10 insertions(+)
More information about the pgpool-committers
mailing list