[pgpool-committers: 10246] pgpool: Abort SSL negotiation if backend sends an error message.
Tatsuo Ishii
ishii at postgresql.org
Tue Nov 26 22:04:47 JST 2024
Abort SSL negotiation if backend sends an error message.
In the client side implementation of SSL negotiation
(pool_ssl_negotiate_clientserver()), it was possible for a
man-in-the-middle attacker to send a long error message to confuse
Pgpool-II or client while in the SSL negotiation phase. This commit
rejects the negotiation immediately (issue a FATAL error) and exits
the session to prevent such an attack.
This resembles PostgreSQL's CVE-2024-10977.
Backpatch-through: v4.1
Branch
------
V4_4_STABLE
Details
-------
https://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=48502ce47d68dc91ba8a5a87fac5457b48eb52f9
Modified Files
--------------
src/utils/pool_ssl.c | 10 ++++++++++
1 file changed, 10 insertions(+)
More information about the pgpool-committers
mailing list