[pgpool-general: 6356] pgpoolAdmin 4.0.1 officially released.
Bo Peng
pengbo at sraoss.co.jp
Thu Dec 20 15:02:45 JST 2018
PgPool Global Development Group has released a Security Update of pgpoolAdmin.
The purpose of this release is to address CVE-2018-16203, which
allow an attacker to login without properly checking the authorization.
Once getting into pgpoolAdmin, the attacker can control Pgpool-II.
Also it may be possible to obtain the superuser role of a PostgreSQL database.
This vulnability affects all versions of pgpoolAdmin. We recommend
upgrade pgpoolAdmin to 4.0.1 immediately (remember that pgpoolAdmin
4.0.1 is compatible with Pgpool-II 3.4 or later).
PgPool Global Development Group would like to thank Fotios Rogkotis
of DarkMatter for finding the security issue and giving us the
detailed studies on it.
You can download the source code and RPMs from:
http://pgpool.net/mediawiki/index.php/Downloads
--
Bo Peng <pengbo at sraoss.co.jp>
SRA OSS, Inc. Japan
More information about the pgpool-general
mailing list