ClickHouse/docs/changelogs/v23.10.5.20-stable.md

2.7 KiB

sidebar_position sidebar_label
1 2023

2023 Changelog

ClickHouse release v23.10.5.20-stable (e84001e5c6) FIXME as compared to v23.10.4.25-stable (330fd687d4)

Improvement

  • Backported in #56924: There was a potential vulnerability in previous ClickHouse versions: if a user has connected and unsuccessfully tried to authenticate with the "interserver secret" method, the server didn't terminate the connection immediately but continued to receive and ignore the leftover packets from the client. While these packets are ignored, they are still parsed, and if they use a compression method with another known vulnerability, it will lead to exploitation of it without authentication. This issue was found with ClickHouse Bug Bounty Program by https://twitter.com/malacupa. #56794 (Alexey Milovidov).

Build/Testing/Packaging Improvement

Bug Fix (user-visible misbehavior in an official stable release)

NOT FOR CHANGELOG / INSIGNIFICANT