PostgreSQL security releases 8.0.6 and 8.1.2 Jan 11 2006 02:24PM
PostgreSQL Security (secuity postgresql org)
PostgreSQL versions 8.0.6 and 8.1.2 have been released fixing a remote
denial of service vulnerability on the win32 platform.

Vulnerability type: Denial of service
Remotely exploitable: Yes

Affected versions: PostgreSQL 8.0.0-8.0.5, 8.1.0-8.1.1 Fixed versions:
PostgreSQL 8.0.6, 8.1.2

Affected platforms: Win32
Non-affected platforms: All non-win32, including Unix, MacOS X and Cygwin.

CVE: CVE-2006-0105

Vulnerability description
When the postmaster process detects too many attempted connections at
the same time, it will incorrectly log a FATAL error and shut down. This
will not affect existing processes, but will make it impossible to
initiate new connections until the service is restarted.

This is a denial of service vulnerability only. As it is a standard
emergency shutdown, it can not be exploited for remote code execution.

Upgrade to version 8.0.6 or 8.1.2 respectively, available from in both source and binary formats.

Implementing proper firewalling at the network and host level will help
mitigate this vulnerability. No other workarounds are possible.

2005-12-22 - Vulnerability reported to security (at) postgresql (dot) org [email concealed]
2005-12-23 - Patch created
2006-01-06 - Patch applied to main tree and new versions packaged
2006-01-09 - New versions announced

The PostgreSQL Global Development Group thanks Yoshiyuki Asaba for
reporting this vulnerability.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus