September 26, 2024: PostgreSQL 17 Released!

CVE-2020-21469 is not a security vulnerability

Posted on 2023-08-29 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Security Team was made aware of CVE-2020-21469, which was filed without the prior knowledge of the PostgreSQL Security Team.

THIS IS NOT A SECURITY VULNERABILITY.

The CVE claims that it's possible to create a denial-of-service in a PostgreSQL 12.2 by sending repeated SIGHUP (or reload) signals to the primary PostgreSQL process. However, to do this, you need to have an account that is explicitly granted elevated privileges, including:

  • A PostgreSQL superuser (postgres).
  • A user that was granted permission to execute pg_reload_conf by a PostgreSQL superuser.
  • Access to a privileged operating system user

If you are still running PostgreSQL 12.2, we do strongly encourage to upgrade to a newer release because of these actual CVEs and many other bug fixes.

If you suspect PostgreSQL has a security vulnerability, please first report it to the PostgreSQL Security Team for evaluation. The PostgreSQL Security Team has been maintaining its list of known vulnerabilities for nearly 20 years. The team works with all reporters to determine what is a valid vulnerability and to provide transparency to our users around security issues.

For more information on how you can report security vulnerabilities to the PostgreSQL Security Team and how the team evaluates reports, please see the security page:

https://www.postgresql.org/support/security/