1 minute read

PostgresNIO Security Vulnerability

PostgresNIO 1.14.2 fixes CVE-2023-31136, a TLS flaw letting a man-in-the-middle inject responses to a client's first queries. Upgrade as soon as possible.

Tim

Gwynne

Published 10th May 2023

We’re sorry for the delay in publishing. We had issues with our deployment pipeline that’re now fixed.

We released PostgresNIO 1.14.2 last week, which contains a security fix for a vulnerability in PostgresNIO’s TLS support. This has been designated as CVE-2023-31136.

Any user of PostgresNIO connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client’s first few queries, despite the use of TLS certificate verification and encryption. This is related to the issue in PostgreSQL itself, CVE-2021-23222.

Special thanks to PostgreSQL’s Tom Lane <tgl@sss.pgh.pa.us> for reporting the original issue and Fabian Fett for the fix in PostgresNIO!

For more information, see the security advisory on GitHub.