CVE-2012-0867 — MEDIUM (4.3)

Vulnerability Description

PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.

CVSS Score

4.3

MEDIUM

AV:N/AC:M/Au:N/C:N/I:P/A:N

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
Opensuse Project	Opensuse	12.2
Postgresql	Postgresql	8.4
Debian	Debian Linux	6.0
Redhat	Desktop Workstation	5
Redhat	Enterprise Linux	5.0
Redhat	Enterprise Linux Desktop	5.0
Redhat	Enterprise Linux Hpc Node	6.0
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server Aus	6.2
Redhat	Enterprise Linux Server Eus	6.2.z
Redhat	Enterprise Linux Workstation	6.0

Related Weaknesses (CWE)

CWE-20 CWE-295

References

http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-0678.htmlThird Party Advisory
http://secunia.com/advisories/49273
http://www.debian.org/security/2012/dsa-2418Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2012:026Broken Link
http://www.postgresql.org/about/news/1377/Vendor Advisory
http://www.postgresql.org/docs/8.4/static/release-8-4-11.htmlRelease NotesVendor Advisory
http://www.postgresql.org/docs/9.0/static/release-9-0-7.htmlRelease NotesVendor Advisory
http://www.postgresql.org/docs/9.1/static/release-9-1-3.htmlRelease NotesVendor Advisory
http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-0678.htmlThird Party Advisory
http://secunia.com/advisories/49273
http://www.debian.org/security/2012/dsa-2418Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2012:026Broken Link
http://www.postgresql.org/about/news/1377/Vendor Advisory

FAQ

What is CVE-2012-0867?

CVE-2012-0867 is a vulnerability with a CVSS score of 4.3 (MEDIUM). PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof conne...

How severe is CVE-2012-0867?

CVE-2012-0867 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2012-0867?

Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Project Opensuse, Postgresql Postgresql, Debian Debian Linux, Redhat Desktop Workstation, Redhat Enterprise Linux.