| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2023-22332-2.patch | commit 6ee624f466b7e501a1d69d17a39cb0c3435e91da Change the default value for wd_lifecheck_password to empty string as documented. |
Bo Peng <pengbo@sraoss.co.jp> | no | https://github.com/pgpool/pgpool2/commit/6ee624f466b7e501a1d69d17a39cb0c3435e91da | 2023-01-22 | |
| CVE-2024-45624.patch | commit 7db3965794237a1427e7961aee7c4650b96bea7c Fix multiple query cache vulnerabilities (CVE-2024-45624). When the query cache feature is enabled, it was possible that a user can read rows from tables that should not be visible for the user through query cache. - If query cache is created for a row security enabled table for user A, and then other user B accesses the table via SET ROLE or SET SESSION_AUTHORIZATION in the same session, it was possible for the user B to retrieve rows which should not be visible from the user B. - If query cache is created for a table for user A, and then other user B accesses the table via SET ROLE or SET SESSION_AUTHORIZATION in the same session, it was possible for the user B to retrieve rows which should not be visible from the user B. - If query cache is created for a table for a user, and then the access right of the table is revoked from the user by REVOKE command, still it was possible for the user to to retrieve the rows through the query cache. Besides the vulnerabilities, there were multiple bugs with the query cache feature. - If query cache is created for a row security enabled table for a user, and then ALTER DATABASE BYPASSRLS or ALTER ROLE BYPASSRLS disable the row security of the table, subsequent SELECT still returns the same rows as before through the query cache. - If query cache is created for a table for a user, and then ALTER TABLE SET SCHEMA changes the search path to not allow to access the table, subsequent SELECT still returns the rows as before through the query cache. To fix above, following changes are made: - Do not allow to create query cache/use query cache for row security enabled tables (even if the table is included in cache_safe_memqcache_table_list). - Do not allow to create query cache/use query cache if SET ROLE/SET AUTHORIZATION is executed in the session (query cache invalidation is performed when a table is modified as usual). - Remove entire query cache if REVOKE/ALTER DATABASE/ALTER TABLE/ALTER ROLE is executed. If the command is executed in an explicit transaction, do not create query cache/use query cache until the transaction gets committed (query cache invalidation is performed when a table is modified as usual). If the transaction is aborted, do not remove query cache. Patch is created by Tatsuo Ishii. Backpatch-through: v4.1 |
Bo Peng <pengbo@sraoss.co.jp> | no | 2024-09-07 | ||
| pgpool2-debian-config.patch | pgpool2 debian config | Marco Nenciarini <mnencia@debian.org> | no | 2016-02-24 | ||
| sbin-paths | pgpool_setup + pg_md5 pathhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877851 | no | ||||
| 987183 | Fix connection count when query is canceled. Fix connection count when query is canceled. Connection counter was not counted down when a query is canceled. Per bug 656. |
Tatsuo Ishii <ishii@sraoss.co.jp> | no | 2020-10-29 | ||
| CVE-2023-22332-1.patch | commit 59f440e2c799fab59c0dbb0a321dbd4a53219edf Do not expose wd_lifecheck_password in show pool_status command. diff --git a/src/utils/pool_process_reporting.c b/src/utils/pool_process_reporting.c index 3adbcf2d2..81df028e2 100644 |
Bo Peng <pengbo@sraoss.co.jp> | no | https://github.com/pgpool/pgpool2/commit/59f440e2c799fab59c0dbb0a321dbd4a53219edf | 2023-01-22 |