When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. Upstream Advisory: https://www.postgresql.org/support/security/CVE-2021-23214/
Created mingw-postgresql tracking bugs for this issue: Affects: fedora-all [bug 2022667] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 2022673] Created postgresql:10/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2022668] Created postgresql:11/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2022669] Created postgresql:12/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2022670] Created postgresql:13/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2022671] Created postgresql:14/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2022674] Created postgresql:9.6/postgresql tracking bugs for this issue: Affects: fedora-34 [bug 2022672]
Upstream commit: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=28e24125541545483093819efae9bca603441951
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2021:5179 https://access.redhat.com/errata/RHSA-2021:5179
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2021:5197 https://access.redhat.com/errata/RHSA-2021:5197
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5235 https://access.redhat.com/errata/RHSA-2021:5235
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5236 https://access.redhat.com/errata/RHSA-2021:5236
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23214
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1830 https://access.redhat.com/errata/RHSA-2022:1830