CVE-2012-0867

NameCVE-2012-0867
DescriptionPostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-2418-1
NVD severitymedium (attack range: remote)
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
postgresql-8.4 (PTS)squeeze8.4.21-0squeeze1fixed
squeeze (security)8.4.20-0squeeze1fixed
squeeze (lts)8.4.22lts1-0+deb6u1fixed
wheezy8.4.22-0+deb7u1fixed
postgresql-9.1 (PTS)wheezy9.1.14-0+deb7u1fixed
wheezy (security)9.1.15-0+deb7u1fixed
jessie, sid9.1.15-0+deb8u1fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
postgresql-8.4source(unstable)8.4.11-1medium
postgresql-8.4sourcesqueeze8.4.11-0squeeze1mediumDSA-2418-1
postgresql-9.1source(unstable)9.1.3-1medium

Search for package or bug name: Reporting problems