A security flaw was found in the way PostgreSQL performed SSL certificate verification (only 32 characters from Common Name field of a particular certificate were recognized and verified), when SSL support was enabled. A rogue PostgreSQL server, able to obtain a carefully-crafted certificate, signed by a Certificate Authority trusted by PostgreSQL client, could use that certificate to conduct man-in-the-middle attack and potentially confuse PostgreSQL client into accepting it by mistake. References: [1] http://www.postgresql.org/support/security/
This issue affects the version of the postgresql84 package, as shipped with Red Hat Enterprise Linux 5. -- This issue affects the version of the postgresql package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the postgresql package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Created postgresql tracking bugs for this issue Affects: fedora-all [bug 797918]
postgresql-9.1.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Support for SSL certificate Common Name against particular server's host name verification has been added starting from PostgreSQL v8.4.0 version: [2] http://www.postgresql.org/docs/8.4/static/release-8-4.html Chapter: E.12.3.9.2. libpq SSL (Secure Sockets Layer) support Paragraph: Fix certificate validation for SSL connections (Magnus) Relevant PostgreSQL-Hackers mailing list archive thread: [3] http://archives.postgresql.org/pgsql-hackers/2008-10/msg00912.php The version of postgresql package, as shipped with Red Hat Enterprise Linux 5 does not include support for this feature yet (does not compare particular SSL certificate Common Name field against the server's host name), and thus is NOT affected by the CVE-2012-0867 security flaw.
Please re-look at comment #2 -- this *affects* postgresql84 package, surely not postgresql package, which is 8.1 actually.
(In reply to comment #8) > Please re-look at comment #2 -- this *affects* postgresql84 package, surely not > postgresql package, which is 8.1 actually. Thanks, Devrim, comment #7 was intended to clarify situation for postgresql package for Red Hat Enterprise Linux 5. To summarize: 1) This issue did NOT affect the version of the postgresql package, as shipped with Red Hat Enterprise Linux 5, 2) This issue affects the version of the postgresql84 package, as shipped with Red Hat Enterprise Linux 5 and version of postgresql package, as shipped with Red Hat Enterprise Linux 6. Fedora versions are covered in comment #2.
postgresql-9.1.3-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
postgresql-9.0.7-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:0678 https://rhn.redhat.com/errata/RHSA-2012-0678.html