Bug#1030048: pgpool2: CVE-2023-22332
Re: Adrian Bunk > > CVE-2023-22332[0]: > Christoph, is there a reason why this cannot be fixed with a backport > or an upgrade to 4.3.5? Just time (and the RFH on the package that has been open since 2014 and no activity since 2016). I've just uploaded 4.3.5 to unstable. Thanks for the poke, Christoph
Bug#1030048: pgpool2: CVE-2023-22332
On Mon, Jan 30, 2023 at 06:47:23PM +0100, Moritz Mühlenhoff wrote: > Source: pgpool2 > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerability was published for pgpool2. > > CVE-2023-22332[0]: > | Information disclosure vulnerability exists in Pgpool-II 4.4.0 to > | 4.4.1 (4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 > | series), 4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), > | All versions of 3.7 series, All versions of 3.6 series, All versions > | of 3.5 series, All versions of 3.4 series, and All versions of 3.3 > | series. A specific database user's authentication information may be > | obtained by another database user. As a result, the information stored > | in the database may be altered and/or database may be suspended by a > | remote attacker who successfully logged in the product with the > | obtained credentials. > > Quoting from https://www.pgpool.net/mediawiki/index.php/Main_Page#News : > > (I have no idea how common that is, feel free to downgrade as necessary) > > -- > This release contains a security fix. > > If following conditions are all met, the password of "wd_lifecheck_user" is > exposed by "SHOW POOL STATUS" command. The command can be executed by any > user who can > connect to Pgpool-II. (CVE-2023-22332) > > • Version 3.3 or later > • use_watchdog = on > • wd_lifecheck_method = 'query' > • A plain text password is set to wd_lifecheck_password > -- >... Christoph, is there a reason why this cannot be fixed with a backport or an upgrade to 4.3.5? cu Adrian
Bug#1030048: pgpool2: CVE-2023-22332
Source: pgpool2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pgpool2. CVE-2023-22332[0]: | Information disclosure vulnerability exists in Pgpool-II 4.4.0 to | 4.4.1 (4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 | series), 4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), | All versions of 3.7 series, All versions of 3.6 series, All versions | of 3.5 series, All versions of 3.4 series, and All versions of 3.3 | series. A specific database user's authentication information may be | obtained by another database user. As a result, the information stored | in the database may be altered and/or database may be suspended by a | remote attacker who successfully logged in the product with the | obtained credentials. Quoting from https://www.pgpool.net/mediawiki/index.php/Main_Page#News : (I have no idea how common that is, feel free to downgrade as necessary) -- This release contains a security fix. If following conditions are all met, the password of "wd_lifecheck_user" is exposed by "SHOW POOL STATUS" command. The command can be executed by any user who can connect to Pgpool-II. (CVE-2023-22332) • Version 3.3 or later • use_watchdog = on • wd_lifecheck_method = 'query' • A plain text password is set to wd_lifecheck_password -- If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22332 https://www.cve.org/CVERecord?id=CVE-2023-22332 Please adjust the affected versions in the BTS as needed.
