[pgpool-committers: 10248] pgpool: Abort SSL negotiation if backend sends an error message.
Tatsuo Ishii
ishii at postgresql.org
Tue Nov 26 22:04:57 JST 2024
Abort SSL negotiation if backend sends an error message.
In the client side implementation of SSL negotiation
(pool_ssl_negotiate_clientserver()), it was possible for a
man-in-the-middle attacker to send a long error message to confuse
Pgpool-II or client while in the SSL negotiation phase. This commit
rejects the negotiation immediately (issue a FATAL error) and exits
the session to prevent such an attack.
This resembles PostgreSQL's CVE-2024-10977.
Backpatch-through: v4.1
Branch
------
master
Details
-------
https://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=e004a213e48ccf607706ca8731780ac4c4cd9e00
Modified Files
--------------
src/utils/pool_ssl.c | 10 ++++++++++
1 file changed, 10 insertions(+)
More information about the pgpool-committers
mailing list