On Mon, Jan 30, 2023 at 06:47:23PM +0100, Moritz Mühlenhoff wrote: > Source: pgpool2 > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerability was published for pgpool2. > > CVE-2023-22332[0]: > | Information disclosure vulnerability exists in Pgpool-II 4.4.0 to > | 4.4.1 (4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 > | series), 4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), > | All versions of 3.7 series, All versions of 3.6 series, All versions > | of 3.5 series, All versions of 3.4 series, and All versions of 3.3 > | series. A specific database user's authentication information may be > | obtained by another database user. As a result, the information stored > | in the database may be altered and/or database may be suspended by a > | remote attacker who successfully logged in the product with the > | obtained credentials. > > Quoting from https://www.pgpool.net/mediawiki/index.php/Main_Page#News : > > (I have no idea how common that is, feel free to downgrade as necessary) > > ---------------------------------------------- > This release contains a security fix. > > If following conditions are all met, the password of "wd_lifecheck_user" is > exposed by "SHOW POOL STATUS" command. The command can be executed by any > user who can > connect to Pgpool-II. (CVE-2023-22332) > > • Version 3.3 or later > • use_watchdog = on > • wd_lifecheck_method = 'query' > • A plain text password is set to wd_lifecheck_password > ---------------------------------------------- >...
Christoph, is there a reason why this cannot be fixed with a backport or an upgrade to 4.3.5? cu Adrian
