[pgpool-general: 8554] Pgpool-II 4.4.2, 4.3.5, 4.2.12, 4.1.15 and 4.0.22 are now officially released.

Bo Peng pengbo at sraoss.co.jp
Mon Jan 23 11:16:21 JST 2023


Pgpool Global Development Group is pleased to announce the 
availability of Pgpool-II 4.4.2, 4.3.5, 4.2.12, 4.1.15 and 4.0.22.

This release contains a security fix.

If following conditions are all met, the password of "wd_lifecheck_user" is exposed by "SHOW POOL STATUS" command. 
The command can be executed by any user who can connect to Pgpool-II. (CVE-2023-22332)

* Version 3.3 or later
* use_watchdog = on
* wd_lifecheck_method = 'query'
* A plain text password is set to wd_lifecheck_password

In this case it is strongly recommended to upgrade to the latest versions
(we do not expose wd_lifecheck_password in show pool_status command any more),
or use one of following workarounds.

Workarounds for 4.0.x to 4.4.x users:

* Disable watchdog. Set use_watchdog to off.
* Change wd_lifecheck_method to heartbeat.
* Set an empty string to wd_lifecheck_password. This will use password in the pool_passwd file.
* Set an AES encrypted password to wd_lifecheck_password. 

In any case we recommend to change wd_lifecheck_password in PostgreSQL.

Workarounds for 3.0.x to 3.7.x users:

* Disable watchdog. Set use_watchdog to off.
* Change wd_lifecheck_method to heartbeat. 

In any case we recommend to change wd_lifecheck_password in PostgreSQL.

Please note that Pgpool-II 3.7.x or before are end of life and no minor updates are provided for those versions. 


For more details please see the release notes:

 http://www.pgpool.net/docs/latest/en/html/release.html

You can download the source code and RPMs from:

  http://pgpool.net/mediawiki/index.php/Downloads

-- 
Bo Peng <pengbo at sraoss.co.jp>
SRA OSS LLC
https://www.sraoss.co.jp/



More information about the pgpool-general mailing list