PostgresNIO Security Vulnerability
We're sorry for the delay in publishing. We had issues with our deployment pipeline that're now fixed.
We released PostgresNIO 1.14.2 last week, which contains a security fix for a vulnerability in PostgresNIO's TLS support. This has been designated as CVE-2023-31136.
Any user of PostgresNIO connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. This is related to the issue in PostgreSQL itself, CVE-2021-23222.
Special thanks to PostgreSQL's Tom Lane <email@example.com> for reporting the original issue and Fabian Fett for the fix in PostgresNIO!
For more information, see the security advisory on GitHub.