Description
The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.
Affected products
- Canonical / Ubuntu Linux6.06 – 6.06
- Canonical / Ubuntu Linux9.04 – 9.04
- Canonical / Ubuntu Linux8.10 – 8.10
- Canonical / Ubuntu Linux8.04 – 8.04
- fedoraproject / fedora10 – 10
- fedoraproject / fedora11 – 11
- openSUSE / opensuse10.3 – 11.1
- PostgreSQL / postgresql8.2 – 8.2.14
- SUSE / linux_enterprise11.0 – 11.0
- SUSE / linux_enterprise10.0 – 10.0
- SUSE / linux_enterprise_server9 – 9
References
- MISChttps://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html
- MISChttp://www.postgresql.org/docs/8.3/static/release-8-3-8.html
- MISChttp://www.securityfocus.com/bid/36314
- MAILING_LISThttp://marc.info/?l=bugtraq&m=134124585221119&w=2
- VENDOR_ADVISORYhttp://secunia.com/advisories/36837
- MISChttp://www.postgresql.org/support/security.html
- VENDOR_ADVISORYhttp://secunia.com/advisories/36660
- MISChttp://www.securityfocus.com/archive/1/509917/100/0/threaded
- VENDOR_ADVISORYhttp://secunia.com/advisories/36800
- VENDOR_ADVISORYhttp://www.us.debian.org/security/2009/dsa-1900
- MISChttps://bugzilla.redhat.com/show_bug.cgi?id=522084
- MISChttps://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html
- MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
- VENDOR_ADVISORYhttp://secunia.com/advisories/36727
- MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
- VENDOR_ADVISORYhttp://www.ubuntu.com/usn/usn-834-1
- MAILING_LISThttp://marc.info/?l=bugtraq&m=134124585221119&w=2
- VENDOR_ADVISORYhttp://wiki.rpath.com/wiki/Advisories:rPSA-2010-0012