PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based PostgreSQL servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended client-hostname restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

The version of PostgreSQL installed on the remote host is 7.4 prior to 7.4.27, 8.0 prior to 8.0.23, 8.1 prior to 8.1.19, 8.2 prior to 8.2.15, 8.3 prior to 8.3.9 or 8.4 prior to 8.4.2.  As such, it is potentially affected by multiple vulnerabilities :

  - NULL bytes in SSL Certificates can be used to falsify     client or server authentication. (CVE-2009-4034)

  - Privilege escalation is possible via changing session     state in an index function. (CVE-2009-4136)

The remote host is affected by the vulnerability described in GLSA-201110-22 (PostgreSQL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PostgreSQL. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote authenticated attacker could send a specially crafted SQL query       to a PostgreSQL server with the 'intarray' module enabled, possibly       resulting in the execution of arbitrary code with the privileges of the       PostgreSQL server process, or a Denial of Service condition. Furthermore,       a remote authenticated attacker could execute arbitrary Perl code, cause       a Denial of Service condition via different vectors, bypass LDAP       authentication, bypass X.509 certificate validation, gain database       privileges, exploit weak blowfish encryption and possibly cause other       unspecified impact.
  Workaround :

    There is no known workaround at this time.

The following bugs have been fixed :

  - An unprivileged, authenticated PostgreSQL user could     create a table which references functions with malicious     content. Maintenance operations carried out be the     database superuser could execute such functions.
    (CVE-2009-4136)

  - Embedded null bytes in the common name of SSL     certificates could bypass certificate hostname checks.
    (CVE-2009-4034)

PostgreSQL was updated to the next upstream patchlevel update which also includes several bugfixes. See the package changelog for details.

The following bugs have been fixed :

An unprivileged, authenticated PostgreSQL user could create a table which references functions with malicious content. Maintenance operations carried out be the database superuser could execute such functions. (CVE-2009-4136)

Embedded null bytes in the common name of SSL certificates could bypass certificate hostname checks. (CVE-2009-4034)

PostgreSQL was updated to the next upstream patchlevel update which also includes several bugfixes. See the package changelog for details.

Several vulnerabilities have been discovered in PostgreSQL, a database server. The Common Vulnerabilities and Exposures project identifies the following problems :

It was discovered that PostgreSQL did not properly verify the Common Name attribute in X.509 certificates, enabling attackers to bypass the (optional) TLS protection on client-server connections, by relying on a certificate from a trusted CA which contains an embedded NUL byte in the Common Name (CVE-2009-4034 ).

Authenticated database users could elevate their privileges by creating specially crafted index functions (CVE-2009-4136 ).

The following matrix shows fixed source package versions for the respective distributions.

                   oldstable/etch    stable/lenny      testing/unstable    postgresql-7.4    7.4.27-0etch1                                         postgresql-8.1    8.1.19-0etch1                                         postgresql-8.3                     8.3.9-0lenny1     8.3.9-1             postgresql-8.4                                      8.4.2-1           In addition to these security fixes, the updates contain reliability improvements and fix other defects.

An unprivileged, authenticated PostgreSQL user could create a table which references functions with malicious content. Maintenance operations carried out be the database superuser could execute such functions (CVE-2009-4136).

Embedded null bytes in the common name of SSL certificates could bypass certificate hostname checks (CVE-2009-4034).

postgresql was updated to the next upstream patchlevel update which also includes several bugfixes. See the package changelog for details.

It was discovered that PostgreSQL did not properly handle certificates with NULL characters in the Common Name field of X.509 certificates.
An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.
(CVE-2009-4034)

It was discovered that PostgreSQL did not properly manage session-local state. A remote authenticated user could exploit this to escalate priviliges within PostgreSQL. (CVE-2009-4136).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to latest upstream point releases

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

PostgreSQL project reports :

PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based PostgreSQL servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended client-hostname restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated users to gain privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path or (2) a prepared statement, a related issue to CVE-2007-6600 and CVE-2009-3230.

Multiple vulnerabilities was discovered and corrected in postgresql :

NULL Bytes in SSL Certificates can be used to falsify client or server authentication. This only affects users who have SSL enabled, perform certificate name validation or client certificate authentication, and where the Certificate Authority (CA) has been tricked into issuing invalid certificates. The use of a CA that can be trusted to always issue valid certificates is recommended to ensure you are not vulnerable to this issue (CVE-2009-4034).

Privilege escalation via changing session state in an index function.
This closes a corner case related to vulnerabilities CVE-2009-3230 and CVE-2007-6600 (CVE-2009-4136).

Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations (CVE-2010-0733).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

This update provides a solution to these vulnerabilities.

The remote host is running a version of PostgreSQL that is earelir than 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23, or 7.4.27.  Such versions are potentially affected by multiple vulnerabilities : 

  - NULL Bytes in SSL Certificates can be used to falsify client or server authentication. (CVE-2009-4034)

  - Privilege escalation via changing session state in an index function. (CVE-2009-4136)  - An integer overflow in the 'ExecChooseHashTableSize()' function of the 'backend/executor/nodeHash.c' source file which could lead to a denial of service. (CVE-2010-0733)

ID	Name	Product	Family	Severity
63348	PostgreSQL 7.4 < 7.4.27 / 8.0 < 8.0.23 / 8.1 < 8.1.19 / 8.2 < 8.2.15 / 8.3 < 8.3.9 / 8.4 < 8.4.2 Multiple Vulnerabilities	Nessus	Databases	medium
56626	GLSA-201110-22 : PostgreSQL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
52689	SuSE 11 Security Update : PostgreSQL (SAT Patch Number 1766)	Nessus	SuSE Local Security Checks	medium
49920	SuSE 10 Security Update : PostgreSQL (ZYPP Patch Number 6768)	Nessus	SuSE Local Security Checks	medium
44829	Debian DSA-1964-1 : postgresql-7.4, postgresql-8.1, postgresql-8.3 - several vulnerabilities	Nessus	Debian Local Security Checks	medium
44056	SuSE 10 Security Update : PostgreSQL (ZYPP Patch Number 6767)	Nessus	SuSE Local Security Checks	medium
44055	SuSE 11 Security Update : PostgreSQL (SAT Patch Number 1766)	Nessus	SuSE Local Security Checks	medium
44054	openSUSE Security Update : postgresql (postgresql-1773)	Nessus	SuSE Local Security Checks	medium
44052	openSUSE Security Update : postgresql (postgresql-1773)	Nessus	SuSE Local Security Checks	medium
44051	openSUSE Security Update : postgresql (postgresql-1773)	Nessus	SuSE Local Security Checks	medium
44050	SuSE9 Security Update : PostgreSQL (YOU Patch Number 12571)	Nessus	SuSE Local Security Checks	medium
43622	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : postgresql-8.1, postgresql-8.3, postgresql-8.4 vulnerabilities (USN-876-1)	Nessus	Ubuntu Local Security Checks	medium
43340	Fedora 12 : postgresql-8.4.2-1.fc12 (2009-13381)	Nessus	Fedora Local Security Checks	medium
43337	Fedora 11 : postgresql-8.3.9-1.fc11 (2009-13363)	Nessus	Fedora Local Security Checks	medium
43177	FreeBSD : postgresql -- multiple vulnerabilities (e7bc5600-eaa0-11de-bd9c-00215c6a37bb)	Nessus	FreeBSD Local Security Checks	medium
43167	Mandriva Linux Security Advisory : postgresql (MDVSA-2009:333)	Nessus	Mandriva Local Security Checks	medium
5261	PostgreSQL < 8.4.2 / 8.3.9 / 8.2.15 / 8.1.19 / 8.0.23 / 7.4.27 Multiple Vulnerabilities	Nessus Network Monitor	Database	medium

Detections

Analytics

CVE-2009-4034

medium

Tenable Plugins

medium

high

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium