Description
PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.
References (9)
Core 9
Core References
Vendor Advisory x_refsource_confirm
http://www.postgresql.org/about/news/1377/
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/49273
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-0678.html
Broken Link vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2012:026
Release Notes, Vendor Advisory x_refsource_confirm
http://www.postgresql.org/docs/9.0/static/release-9-0-7.html
Release Notes, Vendor Advisory x_refsource_confirm
http://www.postgresql.org/docs/8.4/static/release-8-4-11.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2012/dsa-2418
Release Notes, Vendor Advisory x_refsource_confirm
http://www.postgresql.org/docs/9.1/static/release-9-1-3.html
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.html
Scores
EPSS
0.0187
EPSS Percentile
83.3%
Details
CWE
CWE-20
CWE-295
Status
published
Products (32)
debian/debian_linux
6.0
opensuse_project/opensuse
12.2
postgresql/postgresql
8.4
postgresql/postgresql
8.4.1
postgresql/postgresql
8.4.2
postgresql/postgresql
8.4.3
postgresql/postgresql
8.4.4
postgresql/postgresql
8.4.5
postgresql/postgresql
8.4.6
postgresql/postgresql
8.4.7
... and 22 more
Published
Jul 18, 2012
Tracked Since
Feb 18, 2026