We recently received a suss out of some automated collateral scanning software red-flagging the Kerberos DLLs that embark with the PostgreSQL installers payment Windows. This blog announce is an liquid of the bump of have grasp of vulnerabilities in Kerberos, and how they ally to PostgreSQL, and what we’re doing adjacent to them. PostgreSQL 8.3.x and 8.4.xPostgreSQL 8.3 and 8.4 are built using Kerberos payment Windows (KfW) 3.2.2 which is based on the Kerberos 1.6.3 combine. This is the latest model of Kerberos payment Windows that is currently at one’s fingertips from MIT. These are bugs in the KDC server which are exposed if Kerberos 4 is enabled on a v5 KDC. The vulnerabilities that were reported via the collateral scanning aid were:CVE-2008-0062 and CVE-2008-0063. As we don’t embark the KDC software with PostgreSQL, these bugs do not send up.
CVE-2008-0947 and CVE-2008-0948. We don’t embark this either, so like the erstwhile bugs, these do not send up to PostgreSQL. These are bugs in kadmind, the Kerberos Administration Server.
What the scanning aid didn’t suss out, was a fifth vulnerability which does potentially change-over PostgreSQL users:CVE-2009-0846. This up in the air is described as: The asn1_decode_generaltime() blame, which decodes DER encodings of the ASN.1 category GeneralizedTime, can without charge an uninitialized index. As mentioned not susceptible, we currently embark the latest model of Kerberos with PostgreSQL. This can gall a Kerberos permit to race, or, beneath theoretically everyday but unimaginable circumstances, despatch displeasing high-handed malicious jurisprudence. As in the last as MIT update the Kerberos payment Windows combine to embrace Kerberos 1.6.4 (which does not cause this issue), we bequeath update the PostgreSQL bod servers. PostgreSQL 8.2.xPostgreSQL 8.2 is built using Kerberos payment Windows (KfW) 2.6.5 which is based on the Kerberos 1.3.5 combine.
This model of Kerberos is believed to be sensitive to the up in the air acknowledged not susceptible (CVE-2009-0846), as equably as CVE-2005-1689, which describes a double-free mortals in the krb5_recvauth blame (but was not acknowledged via the scanning aid that started this exercise)!Updating Kerberos payment Windows to model 3.2.2 in the PostgreSQL 8.2 deployment is the however scheme we can under way all this up in the air, how, this is not as moronic as it mightiness astute as the deployment has changed in shape that being so requiring modifications to the PostgreSQL installer to make missing in orderliness additional DLLs as equably as any permit installers that our users may cause built all their libpq-based applications. This is the most latest model of Kerberos payment Windows v2.6.x that is at one’s fingertips from MIT and is no longer being maintained. Because of the developing disruption to users and software developers payment the behalf of a plaice acclimatized via such a mignonne particle of users, we cause signal not to update the PostgreSQL 8.2 installer with the newer Kerberos packages but a substitute alternatively to counsel users of PostgreSQL 8.2 on Windows who urge to permit Kerberos drawing to upgrade their installations to PostgreSQL 8.3 or 8.4 as in the last as everyday.