CVE-2020-21469 is not a security vulnerability - Mailing list pgsql-announce

From PostgreSQL Global Development Group
Subject CVE-2020-21469 is not a security vulnerability
Date
Msg-id 169333794325.625.18324304875516609556@wrigleys.postgresql.org
Whole thread Raw
List pgsql-announce
 
PostgreSQL logo PostgreSQL logo

CVE-2020-21469 is not a security vulnerability

The PostgreSQL Security Team was made aware of CVE-2020-21469, which was filed without the prior knowledge of the PostgreSQL Security Team.

THIS IS NOT A SECURITY VULNERABILITY.

The CVE claims that it's possible to create a denial-of-service in a PostgreSQL 12.2 by sending repeated SIGHUP (or reload) signals to the primary PostgreSQL process. However, to do this, you need to have an account that is explicitly granted elevated privileges, including:

  • A PostgreSQL superuser (postgres).
  • A user that was granted permission to execute pg_reload_conf by a PostgreSQL superuser.
  • Access to a privileged operating system user

If you are still running PostgreSQL 12.2, we do strongly encourage to upgrade to a newer release because of these actual CVEs and many other bug fixes.

If you suspect PostgreSQL has a security vulnerability, please first report it to the PostgreSQL Security Team for evaluation. The PostgreSQL Security Team has been maintaining its list of known vulnerabilities for nearly 20 years. The team works with all reporters to determine what is a valid vulnerability and to provide transparency to our users around security issues.

For more information on how you can report security vulnerabilities to the PostgreSQL Security Team and how the team evaluates reports, please see the security page:

https://www.postgresql.org/support/security/

 
Attachment

pgsql-announce by date:

Previous
From: pgAdmin Development Team via PostgreSQL Announce
Date:
Subject: pgAdmin 4 v7.6 Released
Next
From: Stormatics via PostgreSQL Announce
Date:
Subject: Announcing the release of v1.0-rc1 of pg_cirrus - Hassle-free PostgreSQL cluster setup