(Sun Issues Fix) PostgreSQL NULL Character Flaw in Certificate Processing Lets Remote Users Spoof Certficiates
|
|
SecurityTracker Alert ID: 1023390 |
|
SecurityTracker URL: http://securitytracker.com/id/1023390
|
|
CVE Reference:
CVE-2009-4034
(Links to External Site)
|
Date: Dec 28 2009
|
Impact:
Modification of authentication information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 7.4, 8.0, 8.1, 8.2, 8.3, 8.4
|
Description:
A vulnerability was reported in PostgreSQL. A remote user can spoof certificates of arbitrary clients and servers.
A remote user can create a certificate with a specially crafted field that contains a NULL character. Once the certificate is signed by a Certificate Authority, the certificate can be used to spoof a target client or server certificate.
Systems that have SSL enabled and perform certificate name validation or client certificate authentication may be affected.
|
Impact:
A remote user can spoof certificates of arbitrary clients and servers.
|
Solution:
Sun has issued a fix.
SPARC Platform
* OpenSolaris PostgreSQL 8.1 based upon builds snv_110 or later
* OpenSolaris PostgreSQL 8.2 based upon builds snv_131 or later
* OpenSolaris PostgreSQL 8.3 based upon builds snv_131 or later
x86 Platform
* OpenSolaris PostgreSQL 8.1 based upon builds snv_110 or later
* OpenSolaris PostgreSQL 8.2 based upon builds snv_131 or later
* OpenSolaris PostgreSQL 8.3 based upon builds snv_131 or later
Sun is working on a fix for Solaris 10.
The Sun advisory is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-274870-1
|
Vendor URL: www.postgresql.org/about/news.1170 (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
UNIX (Solaris - SunOS)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 28 Dec 2009 14:38:33 +0000
Subject: PostgreSQL
|
http://sunsolve.sun.com/search/document.do?assetkey=1-66-274870-1
CVE-2009-4034
CVE-2009-4136
|
|
