------------------------------------------------------------------------------- Fix Number: FJSVfsep-POOL2-15-1502-1.el9.x86_64 Product Names and Versions: Fujitsu Enterprise Postgres Pgpool-II 15/15SP1/15SP2 Creation date: 25.01.2024 ------------------------------------------------------------------------------- [High Risk Activity] The Customer acknowledges and agrees that the Product is designed, developed and manufactured as contemplated for general use, including without limitation, general office use, personal use, household use, and ordinary industrial use, but is not designed, developed and manufactured as contemplated for use accompanying fatal risks or dangers that, unless extremely high safety is secured, could lead directly to death, personal injury, severe physical damage or other loss (hereinafter "High Safety Required Use"), including without limitation, nuclear reaction control in nuclear facility, aircraft flight control, air traffic control, mass transport control, medical life support system, missile launch control in weapon system. The Customer, shall not use the Product without securing the sufficient safety required for the High Safety Required Use. In addition, Fujitsu (or other affiliate's name) shall not be liable against the Customer and/or any third party for any claims or damages arising in connection with the High Safety Required Use of the Product. Product and company names mentioned in this manual are the trademarks or registered trademarks of their respective owners. Copyright 2023-2024 FUJITSU LIMITED ------------------------------------------------------------------------------- [Notes] - This is the readme for RHEL 8. - This fix is applicable to environments where the following are installed. Fujitsu Enterprise Postgres Pgpool-II 15 - Please ensure that the following steps are carried out before applying or deleting this patch. - Stop the running Pgpool-II. ------------------------------------------------------------------------------- [Patch Description] The following fixes are included in this patch: Fix Number: FJSVfsep-POOL2-15-1502-1.el9.x86_64 01 PH23246 [*]Security failure [*]Serious failure ([ ]Degradation) [*]Incompatibility does not exist / [ ]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description There is no particular issue because bug corrections in Pgpool-II 4.4.1, 4.4.2, 4.4.3 and 4.2.4 apply to FUJITSU Enterprise Postgres. - Requirements to reproduce this issue There is no particular condition because this fix applies the changes of Pgpool-II 4.4.1, 4.4.2, 4.4.3 and 4.2.4 to FUJITSU Enterprise Postgres. You can see applied changes in the below URLs. https://www.pgpool.net/docs/44/en/html/release-4-4-1.html https://www.pgpool.net/docs/44/en/html/release-4-4-2.html https://www.pgpool.net/docs/44/en/html/release-4-4-3.html https://www.pgpool.net/docs/44/en/html/release-4-4-4.html - Action Apply the changes of Pgpool-II to FUJITSU Enterprise Postgres. - Compatibility Information None. 02 PH23555 [ ]Security failure [*]Serious failure ([*]Degradation) [*]Incompatibility does not exist / [ ]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description [Issue 1] A memory leak may occurs in the connection of the application which uses libpq. [Issue 2] A memory leak may occurs in the of agent process Mirroring Controller. - Requirements to reproduce this issue [Requirements to reproduce 1] Issue 1 may occur under the following conditions. 1) The application uses libpq client interface, and 2) The authentication method to verify the user's password is in either of the following method when the applocation 1) connects to the database server, and - scram-sha-256 - md5 3) The application 1) attempts to establish the connection. Notes) This issue is occured particularly when connections are repeatedly connected and disconnected in an application process because about 32 bytes meory is leaked per connetion. [Requirements to reproduce 2] Issue 2 may occur under the following conditions. 1) Using Mirroring Controller, and 2) The authentication method to verify the user's password is in either of the following method when the Mirroring Controller connects to the database server to monitor the database, and - scram-sha-256 - md5 3) Start the Mirroring Controller process. - Action Fix the processing of the libpq to release the memory to encrypts the strings of password. - Compatibility Information None. ------------------------------------------------------------------------------- [Accumulated Patches] The following fixes are included in this patch: Fix Number: FJSVfsep-POOL2-15-1501-1.el9.x86_64 01 PH23344 [*]Security failure [*]Serious failure ([ ]Degradation) [ ]Incompatibility does not exist / [*]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description This fix reflects fixes up to OpenSSL 3.0.12 in this product and does not indicate any specific symptoms. - Requirements to reproduce this issue This fix reflects fixes up to OpenSSL 3.0.12 in this product and has no specific occurrence conditions. The version of OpenSSL in which this product reflects the correction is as follows. - Enterprise Postgres 12, 12SP1, 12SP1A, 12SP1B, 13, 13SP1, 13SP1A 14, 14SP1,15, 15SP1 1.1.1t - Symfoware Server V12.4.1, V12.5.0, V12.6.0, V12.6.0A, V12.7.0 1.1.1t To check the details of the changes up to OpenSSL 3.0.12, see the OpenSSL release notes. https://www.openssl.org/docs/man3.0/man7/migration_guide.html - Action Apply OpenSSL changes to the product. - Compatibility Information - Summary Change the version of OpenSSL in this product to 3.0.12. Along with this, the following changes have been made: 1. Some of the available encryption algorithms are no longer available by default. 2. The use of certificates signed using SHA-1 is now prohibited. - Environment 1. 1) Apply the patches which including PH23344, and 2) Use one of the following encryption algorithms using the pgcrypto module. -BF -CAST5 -DES-ECB -DES-CBC -MD4 - Whirlpool 2. 1) Apply the patches which including PH23344, and 2) For certificate authentication, specify a certificate signed using SHA1. - Products combination of this compatibility problem If the patches which including PH23344 is applied and the conditions listed in "Environment" apply. - Reason of conflictions This is because of a specification change associated with the version upgrade of OpenSSL in this product. - Impacts 1. Functions of pgcrypto module cause errors. 2. Connection using certificate authentication results in an error. - Functional items (Summary, Before/After of migration) 1. When using legacy algorithms in pgcrypto, an extension module for PostgreSQL, you need to prepare an OpenSSL configuration file and add parameters to the database server configuration file. [Before] In pgcrypto, encryption algorithms that have become legacy algorithms in the OpenSSL3 can be used with default settings. [After] In pgcrypto, encyption algorithms that have become legacy algorithms in the OpenSSL3 can not be used with default settings. 2. Certificates signed using SHA1 cannot be used for certificate authentication. [Before] You can connect to a database server using a certificate signed using SHA1. [After] You can not connect to a database server using a certificate signed using SHA1. - Preventive Method 1. Change the state to use the legacy algorithm by setting the following parameters in the database server configuration file postgresql.conf and restarting the server. There is no need to change any settings on the client side. * openssl_conf(string) Specify the OpenSSL configuration file. Legacy algorithms are available by specifying a valid configuration file. Please prepare the configuration file in any directory, referring to the example below. If this parameter is not specified, an empty string will be assumed. This parameter can only be set by specifying the parameter when starting the instance. It cannot be dynamically changed during instance startup. [example of OpenSSL configuration file] ===================== openssl_conf = openssl_init [openssl_init] providers = provider_sect [provider_sect] default = default_sect legacy = legacy_sect [default_sect] activate = 1 [legacy_sect] activate = 1 ===================== [example of parameter setting] openssl_conf = '/path/to/openssl.conf' * openssl_modules(string) Specifies the directory where additional OpenSSL modules are stored. Legacy algorithms can be used by specifying 'server installation directory/lib/ossl-modules'. If this parameter is not specified, an empty string will be assumed. This parameter can only be set by specifying the parameter when starting the instance. It cannot be dynamically changed during instance startup. This parameter sets the environment variable OPENSSL_MODULES that applies to the server process. Please do not set the environment variable OPENSSL_MODULES using any method other than setting this parameter, as this may result in abnormal behavior. [example of parameter setting] openssl_modules = '/opt/fsepv15server64/lib/ossl-modules' 2. Please reissue the certificate used for certificate authentication with SHA2 or higher. -Back out method of the functions None. - User action It is the same as the Preventive Method. Fix Number: FJSVfsep-POOL2-15-1501-0.el9.x86_64 01 PH22849 [*]Security failure [*]Serious failure ([ ]Degradation) [*]Incompatibility does not exist / [ ]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description This fix reflects fixes up to OpenSSL 1.1.1t in this product and does not indicate any specific symptoms. - Requirements to reproduce this issue This fix reflects fixes up to OpenSSL 1.1.1t in this product and has no specific occurrence conditions. To check the details of the changes up to OpenSSL 1.1.1t, click See the OpenSSL release notes. https://www.openssl.org/news/openssl-1.1.1-notes.html The version of OpenSSL in which this product reflects the correction is as follows. - Enterprise Postgres Pgpool-II 15 1.1.1t, 1.1.1s, 1.1.1r, 1.1.1q, 1.1.1p, 1.1.1o, 1.1.1n, 1.1.1m - Action Apply OpenSSL changes to the product. - Compatibility Information None. ------------------------------------------------------------------------------- [List of fixed files] Files replaced by the patch: $INS_DIR/bin/pcp_attach_node $INS_DIR/bin/pcp_detach_node $INS_DIR/bin/pcp_health_check_stats $INS_DIR/bin/pcp_node_count $INS_DIR/bin/pcp_node_info $INS_DIR/bin/pcp_pool_status $INS_DIR/bin/pcp_proc_count $INS_DIR/bin/pcp_proc_info $INS_DIR/bin/pcp_promote_node $INS_DIR/bin/pcp_recovery_node $INS_DIR/bin/pcp_reload_config $INS_DIR/bin/pcp_stop_pgpool $INS_DIR/bin/pcp_watchdog_info $INS_DIR/bin/pg_enc $INS_DIR/bin/pg_md5 $INS_DIR/bin/pgpool $INS_DIR/bin/pgpool_setup $INS_DIR/bin/pgproto $INS_DIR/bin/watchdog_setup $INS_DIR/bin/wd_cli $INS_DIR/etc/aws_eip_if_cmd.sh.sample $INS_DIR/etc/aws_rtb_if_cmd.sh.sample $INS_DIR/etc/escalation.sh.sample $INS_DIR/etc/failover.sh.sample $INS_DIR/etc/follow_primary.sh.sample $INS_DIR/etc/pcp.conf.sample $INS_DIR/etc/pgpool.conf.sample $INS_DIR/etc/pgpool_remote_start.sample $INS_DIR/etc/pool_hba.conf.sample $INS_DIR/etc/recovery_1st_stage.sample $INS_DIR/etc/replication_mode_recovery_1st_stage.sample $INS_DIR/etc/replication_mode_recovery_2nd_stage.sample $INS_DIR/include/libpcp_ext.h $INS_DIR/include/pcp.h $INS_DIR/include/pool_process_reporting.h $INS_DIR/include/pool_type.h $INS_DIR/lib/libcom_err.so.3 $INS_DIR/lib/libcrypto.so.3 $INS_DIR/lib/libgssapi_krb5.so.2 $INS_DIR/lib/libk5crypto.so.3 $INS_DIR/lib/libkrb5.so.3 $INS_DIR/lib/libkrb5support.so.0 $INS_DIR/lib/liblber-2.5.so.0 $INS_DIR/lib/libldap-2.5.so.0 $INS_DIR/lib/libpcp.a $INS_DIR/lib/libpcp.la $INS_DIR/lib/libpcp.so.2.0.0 $INS_DIR/lib/libpq.so.5 $INS_DIR/lib/libssl.so.3 $INS_DIR/share/pgpool-II/insert_lock.sql $INS_DIR/share/pgpool-II/pgpool.pam -------------------------------------------------------------------------------