PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.
References
Link | Resource |
---|---|
http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.html | Third Party Advisory |
http://rhn.redhat.com/errata/RHSA-2012-0678.html | Third Party Advisory |
http://secunia.com/advisories/49273 | |
http://www.debian.org/security/2012/dsa-2418 | Third Party Advisory |
http://www.mandriva.com/security/advisories?name=MDVSA-2012:026 | Broken Link |
http://www.postgresql.org/about/news/1377/ | Vendor Advisory |
http://www.postgresql.org/docs/8.4/static/release-8-4-11.html | Release Notes Vendor Advisory |
http://www.postgresql.org/docs/9.0/static/release-9-0-7.html | Release Notes Vendor Advisory |
http://www.postgresql.org/docs/9.1/static/release-9-1-3.html | Release Notes Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2012-07-18T23:00:00
Updated: 2012-07-25T09:00:00
Reserved: 2012-01-19T00:00:00
Link: CVE-2012-0867
JSON object: View
NVD Information
Status : Analyzed
Published: 2012-07-18T23:55:01.827
Modified: 2016-12-07T19:56:39.343
Link: CVE-2012-0867
JSON object: View
Redhat Information
No data.