CVE-2009-4034

PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based PostgreSQL servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended client-hostname restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
VendorProductVersion
postgresqlpostgresql
7.4.1
postgresqlpostgresql
7.4.2
postgresqlpostgresql
7.4.3
postgresqlpostgresql
7.4.4
postgresqlpostgresql
7.4.5
postgresqlpostgresql
7.4.6
postgresqlpostgresql
7.4.7
postgresqlpostgresql
7.4.8
postgresqlpostgresql
7.4.9
postgresqlpostgresql
7.4.10
postgresqlpostgresql
7.4.11
postgresqlpostgresql
7.4.12
postgresqlpostgresql
7.4.13
postgresqlpostgresql
7.4.14
postgresqlpostgresql
7.4.15
postgresqlpostgresql
7.4.16
postgresqlpostgresql
7.4.17
postgresqlpostgresql
7.4.18
postgresqlpostgresql
7.4.19
postgresqlpostgresql
7.4.20
postgresqlpostgresql
7.4.21
postgresqlpostgresql
7.4.22
postgresqlpostgresql
7.4.23
postgresqlpostgresql
7.4.24
postgresqlpostgresql
7.4.25
postgresqlpostgresql
7.4.26
postgresqlpostgresql
8.0.0
postgresqlpostgresql
8.0.1
postgresqlpostgresql
8.0.2
postgresqlpostgresql
8.0.3
postgresqlpostgresql
8.0.4
postgresqlpostgresql
8.0.5
postgresqlpostgresql
8.0.6
postgresqlpostgresql
8.0.7
postgresqlpostgresql
8.0.8
postgresqlpostgresql
8.0.9
postgresqlpostgresql
8.0.10
postgresqlpostgresql
8.0.11
postgresqlpostgresql
8.0.12
postgresqlpostgresql
8.0.13
postgresqlpostgresql
8.0.14
postgresqlpostgresql
8.0.15
postgresqlpostgresql
8.0.16
postgresqlpostgresql
8.0.17
postgresqlpostgresql
8.0.18
postgresqlpostgresql
8.0.19
postgresqlpostgresql
8.0.20
postgresqlpostgresql
8.0.21
postgresqlpostgresql
8.0.22
postgresqlpostgresql
8.1.0
postgresqlpostgresql
8.1.1
postgresqlpostgresql
8.1.2
postgresqlpostgresql
8.1.3
postgresqlpostgresql
8.1.4
postgresqlpostgresql
8.1.5
postgresqlpostgresql
8.1.6
postgresqlpostgresql
8.1.7
postgresqlpostgresql
8.1.8
postgresqlpostgresql
8.1.9
postgresqlpostgresql
8.1.10
postgresqlpostgresql
8.1.11
postgresqlpostgresql
8.1.12
postgresqlpostgresql
8.1.13
postgresqlpostgresql
8.1.14
postgresqlpostgresql
8.1.15
postgresqlpostgresql
8.1.16
postgresqlpostgresql
8.1.17
postgresqlpostgresql
8.1.18
postgresqlpostgresql
8.2
postgresqlpostgresql
8.2.1
postgresqlpostgresql
8.2.2
postgresqlpostgresql
8.2.3
postgresqlpostgresql
8.2.4
postgresqlpostgresql
8.2.5
postgresqlpostgresql
8.2.6
postgresqlpostgresql
8.2.7
postgresqlpostgresql
8.2.8
postgresqlpostgresql
8.2.9
postgresqlpostgresql
8.2.10
postgresqlpostgresql
8.2.11
postgresqlpostgresql
8.2.12
postgresqlpostgresql
8.2.13
postgresqlpostgresql
8.2.14
postgresqlpostgresql
8.3.1
postgresqlpostgresql
8.3.2
postgresqlpostgresql
8.3.3
postgresqlpostgresql
8.3.4
postgresqlpostgresql
8.3.5
postgresqlpostgresql
8.3.6
postgresqlpostgresql
8.3.7
postgresqlpostgresql
8.3.8
postgresqlpostgresql
8.4.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
postgresql-7.4
oneiric
dne
natty
dne
maverick
dne
lucid
dne
karmic
dne
jaunty
dne
intrepid
dne
hardy
dne
dapper
ignored
postgresql-8.0
oneiric
dne
natty
dne
maverick
dne
lucid
dne
karmic
dne
jaunty
dne
intrepid
dne
hardy
dne
dapper
ignored
postgresql-8.1
oneiric
dne
natty
dne
maverick
dne
lucid
dne
karmic
dne
jaunty
dne
intrepid
dne
hardy
dne
dapper
Fixed 8.1.19-0ubuntu0.6.06
released
postgresql-8.2
oneiric
dne
natty
dne
maverick
dne
lucid
dne
karmic
dne
jaunty
dne
intrepid
dne
hardy
ignored
dapper
dne
postgresql-8.3
oneiric
dne
natty
dne
maverick
dne
lucid
dne
karmic
ignored
jaunty
Fixed 8.3.9-0ubuntu9.04
released
intrepid
Fixed 8.3.9-0ubuntu8.10
released
hardy
Fixed 8.3.9-0ubuntu8.04
released
dapper
dne
postgresql-8.4
oneiric
not-affected
natty
not-affected
maverick
not-affected
lucid
not-affected
karmic
Fixed 8.4.2-0ubuntu9.10
released
jaunty
dne
intrepid
dne
hardy
dne
dapper
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
http://marc.info/?l=bugtraq&m=134124585221119&w=2
http://marc.info/?l=bugtraq&m=134124585221119&w=2
http://osvdb.org/61038
http://secunia.com/advisories/37663
http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0012
http://www.mandriva.com/security/advisories?name=MDVSA-2009:333
http://www.postgresql.org/docs/current/static/release-7-4-27.html
http://www.postgresql.org/docs/current/static/release-8-0-23.html
http://www.postgresql.org/docs/current/static/release-8-1-19.html
http://www.postgresql.org/docs/current/static/release-8-2-15.html
http://www.postgresql.org/docs/current/static/release-8-3-9.html
http://www.postgresql.org/docs/current/static/release-8-4-2.html
http://www.postgresql.org/support/security.html
http://www.securityfocus.com/archive/1/509917/100/0/threaded
http://www.securityfocus.com/bid/37334
http://www.securitytracker.com/id?1023325
http://www.vupen.com/english/advisories/2009/3519
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01035.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01056.html
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
http://marc.info/?l=bugtraq&m=134124585221119&w=2
http://marc.info/?l=bugtraq&m=134124585221119&w=2
http://osvdb.org/61038
http://secunia.com/advisories/37663
http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0012
http://www.mandriva.com/security/advisories?name=MDVSA-2009:333
http://www.postgresql.org/docs/current/static/release-7-4-27.html
http://www.postgresql.org/docs/current/static/release-8-0-23.html
http://www.postgresql.org/docs/current/static/release-8-1-19.html
http://www.postgresql.org/docs/current/static/release-8-2-15.html
http://www.postgresql.org/docs/current/static/release-8-3-9.html
http://www.postgresql.org/docs/current/static/release-8-4-2.html
http://www.postgresql.org/support/security.html
http://www.securityfocus.com/archive/1/509917/100/0/threaded
http://www.securityfocus.com/bid/37334
http://www.securitytracker.com/id?1023325
http://www.vupen.com/english/advisories/2009/3519
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01035.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01056.html