Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:15154
HistoryDec 29, 2009 - 12:00 a.m.

PostgreSQL CA SSL证书验证漏洞

2009-12-2900:00:00
Root
www.seebug.org
126

0.003 Low

EPSS

Percentile

68.6%

JSON

BUGTRAQ ID: 37334
CVE ID: CVE-2009-4034

PostgreSQL是一款高级对象-关系型数据库管理系统,支持扩展的SQL标准子集。

PostgreSQL没有正确地验证X.509证书主题的通用名称(CN)字符的域名中的空字符(\0),在处理包含有空字符的证书字段时错误地将空字符处理为截止字符,因此只会验证空字符前的部分。例如,对于类似于以下的名称:

example.com\0.haxx.se

证书是发布给haxx.se的,但PostgreSQL错误的验证给example.com,这允许攻击者通过合法CA所发布的特制服务器证书伪造成为任意基于SSL的PostgreSQL服务器执行中间人攻击,或绕过预期的客户端-主机名限制。

PostgreSQL PostgreSQL 8.4.x
PostgreSQL PostgreSQL 8.3.x
PostgreSQL PostgreSQL 8.2.x
PostgreSQL PostgreSQL 8.1.x
PostgreSQL PostgreSQL 8.0.x
PostgreSQL PostgreSQL 7.4.x
厂商补丁:

PostgreSQL

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.postgresql.org/about/news.1170

Sun

Sun已经为此发布了一个安全公告(Sun-Alert-6909139)以及相应补丁:
Sun-Alert-6909139:Security Vulnerabilities in PostgreSQL Shipped With Solaris May Allow Escalation of Privileges or Man-in-the-Middle on SSL Connections
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-66-274870-1

Related

seebug 1
postgresql 1
nessus 17
securityvulns 2
openvas 12
osv 1
fedora 2
debian 1
prion 1
ubuntucve 1
cve 1
ubuntu 1
freebsd 1
gentoo 1
seebug
seebug
PostgreSQL空字符CA SSL整数校验安全绕过漏洞
2009-12-17 00:00:00
postgresql
postgresql
Vulnerability in core server (CVE-2009-4034)
2009-12-15 18:30:00
nessus
nessus
openSUSE Security Update : postgresql (postgresql-1773)
2010-01-19 00:00:00
Fedora 11 : postgresql-8.3.9-1.fc11 (2009-13363)
2009-12-18 00:00:00
SuSE 10 Security Update : PostgreSQL (ZYPP Patch Number 6767)
2010-01-19 00:00:00
securityvulns
securityvulns
PostgreSQL multiple security vulnerabilities
2009-12-15 00:00:00
[ MDVSA-2009:333 ] postgresql
2009-12-15 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-876-1)
2010-01-15 00:00:00
Debian: Security Advisory (DSA-1964-1)
2023-03-08 00:00:00
Fedora Core 11 FEDORA-2009-13363 (postgresql)
2009-12-30 00:00:00
osv
osv
postgresql-7.4 postgresql-8.1 postgresql-8.3 - several vulnerabilities
2009-12-31 00:00:00
fedora
fedora
[SECURITY] Fedora 12 Update: postgresql-8.4.2-1.fc12
2009-12-18 04:39:48
[SECURITY] Fedora 11 Update: postgresql-8.3.9-1.fc11
2009-12-18 04:36:29
debian
debian
[SECURITY] [DSA-1964-1] New PostgreSQL packages fix several vulnerabilities
2009-12-31 16:38:37
prion
prion
Design/Logic Flaw
2009-12-15 18:30:00
ubuntucve
ubuntucve
CVE-2009-4034
2009-12-15 00:00:00
cve
cve
CVE-2009-4034
2009-12-15 18:30:00
ubuntu
ubuntu
PostgreSQL vulnerabilities
2010-01-03 00:00:00
freebsd
freebsd
postgresql -- multiple vulnerabilities
2009-11-20 00:00:00
gentoo
gentoo
PostgreSQL: Multiple vulnerabilities
2011-10-25 00:00:00

0.003 Low

EPSS

Percentile

68.6%

JSON
Related for SSV:15154
seebug1postgresql1nessus17securityvulns2openvas12osv1fedora2debian1prion1ubuntucve1cve1ubuntu1freebsd1gentoo1