PT-2012-2920 · Postgresql+2 · Postgresql+2

Heikki Linnakangas

Published

2012-05-21

Updated

2024-06-15

CVE-2012-0867

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 8.4.x through 8.4.10 PostgreSQL versions 9.0.x through 9.0.6 PostgreSQL versions 9.1.x through 9.1.2

Description The issue allows remote attackers to spoof connections when the host name is exactly 32 characters, due to the truncation of the common name to only 32 characters in SSL certificate verification. This can occur under certain circumstances, particularly when using third-party certificate authorities.

Recommendations For PostgreSQL versions 8.4.x through 8.4.10, update to version 8.4.11 or later. For PostgreSQL versions 9.0.x through 9.0.6, update to version 9.0.7 or later. For PostgreSQL versions 9.1.x through 9.1.2, update to version 9.1.3 or later.

Fix

RCE

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-295

Related Identifiers

CESA-2012_0678

CVE-2012-0867

DSA-2418-1

OPENSUSE-SU-2024:10030-1

OPENSUSE-SU-2024:10256-1

OPENSUSE-SU-2024:10273-1

RHSA-2012:0678

RHSA-2012_0678

Affected Products

Centos

Postgresql

Red Hat

PT-2012-2920 · Postgresql+2 · Postgresql+2

CVE-2012-0867

Weakness Enumeration

Related Identifiers

Affected Products

References · 72