FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
2ccd71bd-426b-11ec-87db-6cc21735f730	PostgreSQL -- Possible man-in-the-middle attacks The PostgreSQL Project reports: CVE-2021-23214: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.) CVE-2021-23222: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214. Discovery 2021-11-08 Entry 2021-11-10 postgresql14-server lt 14.1 postgresql13-server lt 13.5 postgresql12-server lt 12.9 postgresql11-server lt 11.14 postgresql10-server lt 10.19 postgresql96-server lt 9.6.24 CVE-2021-23214 CVE-2021-23222

VuXML ID

Description

2ccd71bd-426b-11ec-87db-6cc21735f730

PostgreSQL -- Possible man-in-the-middle attacks

The PostgreSQL Project reports:

CVE-2021-23214: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)

CVE-2021-23222: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.

Discovery 2021-11-08
Entry 2021-11-10
postgresql14-server

lt 14.1

postgresql13-server

lt 13.5

postgresql12-server

lt 12.9

postgresql11-server

lt 11.14

postgresql10-server

lt 10.19

postgresql96-server

lt 9.6.24

CVE-2021-23214
CVE-2021-23222