CVE-2012-0867
Published: 28 February 2012
PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.
Notes
Author | Note |
---|---|
mdeslaur | 8.3 is not affected |
Priority
Status
Package | Release | Status |
---|---|---|
postgresql-8.2 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
upstream |
Needs triage
|
|
postgresql-8.3 Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
upstream |
Not vulnerable
|
|
postgresql-8.4 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Released
(8.4.11-0ubuntu0.10.04)
|
|
maverick |
Released
(8.4.11-0ubuntu0.10.10)
|
|
natty |
Released
(8.4.11-0ubuntu0.11.04)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Not vulnerable
(8.4.11-1)
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
upstream |
Released
(8.4.11)
|
|
postgresql-9.1 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Released
(9.1.3-0ubuntu0.11.10)
|
|
precise |
Released
(9.1.3-1)
|
|
quantal |
Released
(9.1.3-1)
|
|
raring |
Released
(9.1.3-1)
|
|
upstream |
Released
(9.1.3)
|