PostgreSQL update with vulnerabilities elimination. ODYSSEY 1.2 Connection Balancer

formed Corrective updates for all Supported PostgreSQL branches: 14.1 , 13.5 , 12.9 , 11.14 , 10.19 and 9.6.24 . Issue 9.6.24 will be the last update for the branch 9.6, Support which is stopped. Updates for branches 10 will be formed until November 2022, 11 – until November 2023, 12 – until November 2024, 13 – until November 2025, 14 – until November 2026.

More than 40 fixes are proposed in new versions. Two vulnerabilities (CVE-2021-23222) are eliminated (CVE-2021-23222) in the server process and LIBPQ client library. Vulnerabilities allow an attacker to embed into an encrypted communication channel through the MITM attack. The attack does not require the presence of a correct SSL certificate and can be carried out against systems that require customer authentication. In the context of the server, the attack allows you to substitute your SQL query at the time of installing the client encrypted connection with the North PostgreSQL.
In the context of the LIBPQ, the vulnerability allows the attacker to return the server’s fictitious response to the client. In combination of vulnerability, you allow you to extract information about the password or other client confidential data transmitted at an early compound.

Additionally, you can noted Publication Yandex Company of the new version of the proxy server Odyssey 1.2 , designed to maintain open connections pool to POSTGRESQL DBMS and queries routing organizations. Odyssey supports the launch of several workflows with multi-threaded handlers, to the same server when connecting the client, the ability to bind connections to users and database. The code is written in the SI language and extends under the license BSD.

In the new version of Odyssey, protection has been added to block data substitution after the SSL session is approved (allows you to block attacks using the above-mentioned CVE-2021-23214 and CVE-2021-23222 vulnerabilities). Implemented support for PAM and LDAP. Added integration of the system of monitoring Prometheus . Improved statistics parameters to account for taking transaction and queries time.

/Media reports.