src/include/pool.h | 6 3 + 3 - 0 !
src/sample/pgpool.conf.sample | 10 5 + 5 - 0 !
2 files changed, 8 insertions(+), 8 deletions(-)

 pgpool2 debian config

src/test/pgpool_setup.in | 4 2 + 2 - 0 !
src/test/regression/tests/054.postgres_fdw/test.sh | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 pgpool_setup + pg_md5 path
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877851

doc.ja/src/sgml/memcache.sgml | 17 17 + 0 - 0 !
doc/src/sgml/memcache.sgml | 25 25 + 0 - 0 !
src/context/pool_session_context.c | 83 83 + 0 - 0 !
src/include/context/pool_session_context.h | 19 19 + 0 - 0 !
src/include/query_cache/pool_memqcache.h | 4 3 + 1 - 0 !
src/include/utils/pool_select_walker.h | 2 2 + 0 - 0 !
src/protocol/CommandComplete.c | 148 148 + 0 - 0 !
src/protocol/pool_proto_modules.c | 6 4 + 2 - 0 !
src/query_cache/pool_memqcache.c | 29 28 + 1 - 0 !
src/test/regression/tests/006.memqcache/alter_database1.data | 53 53 + 0 - 0 !
src/test/regression/tests/006.memqcache/alter_database2.data | 18 18 + 0 - 0 !
src/test/regression/tests/006.memqcache/alter_database3.data | 8 8 + 0 - 0 !
src/test/regression/tests/006.memqcache/alter_role.data | 50 50 + 0 - 0 !
src/test/regression/tests/006.memqcache/alter_table1.data | 60 60 + 0 - 0 !
src/test/regression/tests/006.memqcache/alter_table2.data | 18 18 + 0 - 0 !
src/test/regression/tests/006.memqcache/alter_table3.data | 8 8 + 0 - 0 !
src/test/regression/tests/006.memqcache/expected.n | 569 569 + 0 - 0 !
src/test/regression/tests/006.memqcache/expected.r | 627 627 + 0 - 0 !
src/test/regression/tests/006.memqcache/expected.s | 569 569 + 0 - 0 !
src/test/regression/tests/006.memqcache/revoke1.data | 73 73 + 0 - 0 !
src/test/regression/tests/006.memqcache/revoke2.data | 19 19 + 0 - 0 !
src/test/regression/tests/006.memqcache/revoke3.data | 8 8 + 0 - 0 !
src/test/regression/tests/006.memqcache/row_security.data | 42 42 + 0 - 0 !
src/test/regression/tests/006.memqcache/session_authorization.data | 19 19 + 0 - 0 !
src/test/regression/tests/006.memqcache/set_role1.data | 19 19 + 0 - 0 !
src/test/regression/tests/006.memqcache/set_role2.data | 39 39 + 0 - 0 !
src/test/regression/tests/006.memqcache/set_role3.data | 44 44 + 0 - 0 !
src/test/regression/tests/006.memqcache/set_role4.data | 90 90 + 0 - 0 !
src/test/regression/tests/006.memqcache/test.sh | 336 336 + 0 - 0 !
src/utils/pool_select_walker.c | 105 105 + 0 - 0 !
30 files changed, 3103 insertions(+), 4 deletions(-)

 [patch] fix multiple query cache vulnerabilities (cve-2024-45624).

When the query cache feature is enabled, it was possible that a user
can read rows from tables that should not be visible for the user
through query cache.

- If query cache is created for a row security enabled table for user
  A, and then other user B accesses the table via SET ROLE or SET
  SESSION_AUTHORIZATION in the same session, it was possible for the
  user B to retrieve rows which should not be visible from the user B.

- If query cache is created for a table for user A, and then other
  user B accesses the table via SET ROLE or SET SESSION_AUTHORIZATION
  in the same session, it was possible for the user B to retrieve rows
  which should not be visible from the user B.

- If query cache is created for a table for a user, and then the
  access right of the table is revoked from the user by REVOKE
  command, still it was possible for the user to to retrieve the rows
  through the query cache.

Besides the vulnerabilities, there were multiple bugs with the query
cache feature.

- If query cache is created for a row security enabled table for a
  user, and then ALTER DATABASE BYPASSRLS or ALTER ROLE BYPASSRLS
  disable the row security of the table, subsequent SELECT still
  returns the same rows as before through the query cache.

- If query cache is created for a table for a user, and then ALTER
  TABLE SET SCHEMA changes the search path to not allow to access the
  table, subsequent SELECT still returns the rows as before through
  the query cache.

To fix above, following changes are made:

- Do not allow to create query cache/use query cache for row security
  enabled tables (even if the table is included in
  cache_safe_memqcache_table_list).

- Do not allow to create query cache/use query cache if SET ROLE/SET
  AUTHORIZATION is executed in the session (query cache invalidation
  is performed when a table is modified as usual).

- Remove entire query cache if REVOKE/ALTER DATABASE/ALTER TABLE/ALTER
  ROLE is executed. If the command is executed in an explicit
  transaction, do not create query cache/use query cache until the
  transaction gets committed (query cache invalidation is performed
  when a table is modified as usual). If the transaction is aborted,
  do not remove query cache.

Patch is created by Tatsuo Ishii.

Backpatch-through: v4.1

doc.ja/src/sgml/memcache.sgml | 2 1 + 1 - 0 !
doc/src/sgml/memcache.sgml | 2 1 + 1 - 0 !
src/protocol/CommandComplete.c | 36 35 + 1 - 0 !
src/test/regression/tests/006.memqcache/expected.n | 29 29 + 0 - 0 !
src/test/regression/tests/006.memqcache/expected.r | 31 31 + 0 - 0 !
src/test/regression/tests/006.memqcache/expected.s | 29 29 + 0 - 0 !
src/test/regression/tests/006.memqcache/test.sh | 12 12 + 0 - 0 !
7 files changed, 138 insertions(+), 3 deletions(-)

 [patch] optimize query cache invalidation for alter role.

Commit 6b7d585eb1c693e4ffb5b8e6ed9aa0f067fa1b89 invalidates query
cache if any ALTER ROLE/USER statement is used. Actually this is an
overkill. Because following queries do not affect the privilege of the
role.

- ALTER ROLE user WITH [ENCRYPTED] PASSWORD
- ALTER ROLE user WITH CONNECTION LIMIT

So do not invalidate query cache if those commands are used.

Backpatch-through: v4.1
Discussion: https://www.pgpool.net/pipermail/pgpool-hackers/2024-October/004532.html

doc.ja/src/sgml/client-auth.sgml | 45 23 + 22 - 0 !
doc/src/sgml/client-auth.sgml | 62 43 + 19 - 0 !
src/auth/pool_auth.c | 390 60 + 330 - 0 !
src/sample/pgpool.pam | 3 1 + 2 - 0 !
src/test/regression/tests/040.client_auth/client_auth_2node.csv | 126 126 + 0 - 0 !
src/test/regression/tests/040.client_auth/create_ldap_user.sh | 20 20 + 0 - 0 !
src/test/regression/tests/040.client_auth/create_pam_user.sh | 17 17 + 0 - 0 !
src/test/regression/tests/040.client_auth/del_ldap_users.sh | 8 8 + 0 - 0 !
src/test/regression/tests/040.client_auth/del_pam_users.sh | 7 7 + 0 - 0 !
src/test/regression/tests/040.client_auth/list_ldap_user.sh | 17 17 + 0 - 0 !
src/test/regression/tests/040.client_auth/list_pam_user.sh | 16 16 + 0 - 0 !
src/test/regression/tests/040.client_auth/pam_users.txt | 41 41 + 0 - 0 !
src/test/regression/tests/040.client_auth/test.sh | 474 474 + 0 - 0 !
13 files changed, 853 insertions(+), 373 deletions(-)

 [patch 1/1] fix incorrect client authentication in some cases.

If enable_pool_hba = on, it's auth method is "password", no password
is registered in pool_passwd, and auth method in pg_hba.conf is
"scram-sha-256" or "md5", for the first time when a client connects to
pgpool, authentication is performed as expected. But if a client
connects to the cached connection, any password from the client is
accepted.

authenticate_frontend() asks password to the client and stores it in
frontend->password.  When pgpool authenticate backend,
authenticate_frontend_SCRAM() or authenticate_frontend_md5() is called
depending on pg_hba.conf setting. authenticate_frontend_*() calls
get_auth_password() to get backend cached password but it mistakenly
returned frontend->password if pool_passwd does not have an entry for
the user. Then authenticate_frontend_*() tries to challenge based on
frontend->password. As a result, they compared frontend->password
itself, which always succeed. To fix this, when get_auth_password() is
called with reauth parameter being non 0, return backend->password.

Also if enable_pool_hba = off, in some cases a client is not asked
password for the first time, or when a client connects to cached
connection, even if it should be.

If pool_hba.conf is disabled, get_backend_connection() does not call
Client_authentication(), thus frontend->password is not set. Then
pool_do_reauth() calls do_clear_text_password(). It should have called
authenticate_frontend_clear_text() to get a password from the client,
but a mistake in a if statement prevented it. The mistake was fixed in
this commit.

Pgpool-II versions affected: v4.0 or later.

Also this commit does followings:

- Remove single PostgreSQL code path to simplify the authentication
  code. As a result, following cases are no more Ok.

- Remove crypt authentication support for frontend and backend. The
  feature had not been documented and never tested. Moreover crypt
  authentication was removed long time ago in PostgreSQL (8.4, 2009).

- Add new regression test "040.client_auth". The test performs
  exhaustive client authentication tests using a test specification
  file formatted in CSV.
  The csv files have 7 fields:
  username: the username used for the test case

  pool_hba.conf: takes "scram", "md5", "password", "pam", "ldap" or
  "off". If "scram", "md5" , "password", "pam" or "ldap", the user
  will have an entry in pool_hba.conf accordingly. If "off",
  enable_pool_hba.conf will be off.

  allow_clear_text_frontend_auth: takes "on" or "off".

  pool_passwd: takes "AES", "md5" or "off". If "AES" or "md5" the
  user's password will be stored in pool_passwd using ASE256 or md5
  encryption method accordingly. If "off" is specified, no entry will
  be created.

  pg_hba.conf: almost same as pool_hba.conf except this is for
  pg_hba.conf.

  expected: takes "ok" or "fail". If ok, the authentication is
  expected to be succeeded. If failed, the test is regarded as
  failed. "fail" is opposite. The authentication is expected to be
  failed. If succeeds, the test regarded as failed.

  comment: arbitrary comment

  By changing these fields, we can easily modify or add test
  cases. The merit of this method is possible higher test
  coverage. For human, it is easier to find uncovered test cases in a
  table than in a program code.

Backpatch-through: v4.2

The patch was created by Tatsuo Ishii.