Red Hat Bugzilla – Bug 522084
CVE-2009-3231 postgresql: LDAP authentication bypass when anonymous LDAP bind are allowed
Last modified: 2010-03-29 06:02:35 EDT
Quoting upstream PostgreSQL security page:
If PostgreSQL is configured with LDAP authentication, and your LDAP
configuration allows anonymous binds, it is possible for a user to
authenticate themselves with an empty password.
Affected versions: 8.3, 8.2
Fixed in versions: 8.3.8, 8.2.14
Severity: A - A vulnerability that is exploitable for privilege escalation without requiring a prior login.
postgresql-8.3.8-1.fc11 has been submitted as an update for Fedora 11.
postgresql-8.3.8-1.fc10 has been submitted as an update for Fedora 10.
postgresql-8.3.8-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
postgresql-8.3.8-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
LDAP authentication support is not available in PostgreSQL packages in Red Hat Enterprise Linux 3, 4 and 5, and Red Hat Application Stack v1. PostgreSQL packages shipped in those products are not affected by this flaw.
MITRE's CVE-2009-3231 record:
The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2
before 8.2.14, when using LDAP authentication with anonymous binds,
allows remote attackers to bypass authentication via an empty
This issue has been addressed in following products:
Red Hat Web Application Stack for RHEL 5
Via RHSA-2009:1461 https://rhn.redhat.com/errata/RHSA-2009-1461.html