mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-11-30 11:32:03 +00:00
2.7 KiB
2.7 KiB
sidebar_position | sidebar_label |
---|---|
1 | 2023 |
2023 Changelog
ClickHouse release v23.9.6.20-stable (cf7e84bb8c
) FIXME as compared to v23.9.5.29-stable (f8554c1a1f
)
Improvement
- Backported in #56930: There was a potential vulnerability in previous ClickHouse versions: if a user has connected and unsuccessfully tried to authenticate with the "interserver secret" method, the server didn't terminate the connection immediately but continued to receive and ignore the leftover packets from the client. While these packets are ignored, they are still parsed, and if they use a compression method with another known vulnerability, it will lead to exploitation of it without authentication. This issue was found with ClickHouse Bug Bounty Program by https://twitter.com/malacupa. #56794 (Alexey Milovidov).
Build/Testing/Packaging Improvement
- Backported in #57022: There was an attempt to have the proper listing in #44311, but the fix itself was in the wrong place, so it's still broken. See an example. #56989 (Mikhail f. Shiryaev).
Bug Fix (user-visible misbehavior in an official stable release)
- Fix ON CLUSTER queries without database on initial node #56484 (Nikolay Degterinsky).
- Fix buffer overflow in Gorilla codec #57107 (Nikolay Degterinsky).
- Close interserver connection on any exception before authentication #57142 (Antonio Andelic).
NOT FOR CHANGELOG / INSIGNIFICANT
- Fix client suggestions for user without grants #56234 (Nikolay Degterinsky).
- Fix pygithub #56778 (Mikhail f. Shiryaev).
- Avoid dependencies with no fixed versions #56914 (Alexey Milovidov).
- Tiny improvement security #57171 (Mikhail f. Shiryaev).