Pgpool-II 4.4.2, 4.3.5, 4.2.12, 4.1.15 and 4.0.22 released.
What is Pgpool-II?
Pgpool-II is a tool to add useful features to PostgreSQL, including:
- connection pooling
- load balancing
- automatic failover and more.
Minor releases
Pgpool Global Development Group is pleased to announce the availability of following versions of Pgpool-II:
- 4.4.2
- 4.3.5
- 4.2.12
- 4.1.15
- 4.0.22
This release contains a security fix.
If following conditions are all met, the password of "wd_lifecheck_user" is exposed by "SHOW POOL STATUS" command. The command can be executed by any user who can connect to Pgpool-II. (CVE-2023-22332)
- Version 3.3 or later
- use_watchdog = on
- wd_lifecheck_method = 'query'
- A plain text password is set to wd_lifecheck_password
In this case it is strongly recommended to upgrade to this version (we do not expose wd_lifecheck_password in show pool_status command any more), or use one of following workarounds.
Workarounds for 4.0.x to 4.4.x users:
- Disable watchdog. Set use_watchdog to off.
- Change wd_lifecheck_method to heartbeat.
- Set an empty string to wd_lifecheck_password. This will use password in the pool_passwd file.
- Set an AES encrypted password to wd_lifecheck_password.
In any case we recommend to change "wd_lifecheck_password" in PostgreSQL.
Workarounds for 3.0.x to 3.7.x users:
- Disable watchdog. Set use_watchdog to off.
- Change wd_lifecheck_method to heartbeat.
In any case we recommend to change "wd_lifecheck_password" in PostgreSQL.
Please note that Pgpool-II 3.7.x or before are end of life and no minor updates are provided for those versions.
Please take a look at release notes.
You can download the source code and RPMs.
Pgpool-II 4.4.2, 4.3.5, 4.2.12, 4.1.15 and 4.0.22 released.
Pgpool-II 4.4.2, 4.3.5, 4.2.12, 4.1.15, and 4.0.22 have been released. Pgpool-II is a tool that enhances PostgreSQL with practical features like connection pooling, load balancing, automatic failover, and more.
