http://pgsnake.blogspot.com/2009/12/kerberos-support-in-postgresql-on.html
Kerberos support in Postgresql on Windows
We recently received a report of some automated security scanning software red-flagging the Kerberos DLLs that ship with the Postgresql installers for Windows. This blog post is an analysis of the impact of kNow vulnerabilities in Kerberos,and how they relate to Postgresql,and what we're doing about them.
Postgresql 8.3.x and 8.4.x
Postgresql 8.3 and 8.4 are built using Kerberos for Windows (KfW) 3.2.2 which is based on the Kerberos 1.6.3 package. This is the latest version of Kerberos for Windows that is currently available from MIT.
The vulnerabilities that were reported by the security scanning tool were:
CVE-2008-0062 and CVE-2008-0063. These are bugs in the KDC server which are exposed if Kerberos 4 is enabled on a v5 KDC. As we don't ship the KDC software with Postgresql,these bugs do not apply.
CVE-2008-0947 and CVE-2008-0948. These are bugs in kadmind,the Kerberos Administration Server. We don't ship this either,so like the prevIoUs bugs,these do not apply to Postgresql.
What the scanning tool didn't report,was a fifth vulnerability which does potentially affect Postgresql users:
CVE-2009-0846. This issue is described as: The asn1_decode_generaltime() function,which decodes DER encodings of the ASN.1 type "GeneralizedTime",can free an uninitialized pointer. This can cause a Kerberos application to crash,or,under theoretically possible but unlikely circumstances,execute arbitrary malicIoUs code.
As mentioned above,we currently ship the latest version of Kerberos with Postgresql. As soon as MIT update the Kerberos for Windows package to include Kerberos 1.6.4 (which does not have this issue),we will update the Postgresql build servers.
Postgresql 8.2.x
Postgresql 8.2 is built using Kerberos for Windows (KfW) 2.6.5 which is based on the Kerberos 1.3.5 package. This is the most recent version of Kerberos for Windows v2.6.x that is available from MIT and is no longer being maintained.
This version of Kerberos is believed to be vulnerable to the issue noted above ( CVE-2009-0846),as well as CVE-2005-1689,which describes a double-free bug in the krb5_recvauth function (but was not noted by the scanning tool that started this exercise)!
Updating Kerberos for Windows to version 3.2.2 in the Postgresql 8.2 distribution is the only way we can work around this issue,however,this is not as simple as it might sound as the distribution has changed in structure thus requiring modifications to the Postgresql installer to accommodate additional DLLs as well as any application installers that our users may have built around their libpq-based applications.
Because of the potential disruption to users and software developers for the sake of a feature used by such a small percentage of users,we have decided not to update the Postgresql 8.2 installer with the newer Kerberos packages but instead to recommend users of Postgresql 8.2 on Windows who wish to use Kerberos plan to upgrade their installations to Postgresql 8.3 or 8.4 as soon as possible.
Postgresql 8.3.x and 8.4.x
Postgresql 8.3 and 8.4 are built using Kerberos for Windows (KfW) 3.2.2 which is based on the Kerberos 1.6.3 package. This is the latest version of Kerberos for Windows that is currently available from MIT.
The vulnerabilities that were reported by the security scanning tool were:
CVE-2008-0062 and CVE-2008-0063. These are bugs in the KDC server which are exposed if Kerberos 4 is enabled on a v5 KDC. As we don't ship the KDC software with Postgresql,these bugs do not apply.
CVE-2008-0947 and CVE-2008-0948. These are bugs in kadmind,the Kerberos Administration Server. We don't ship this either,so like the prevIoUs bugs,these do not apply to Postgresql.
What the scanning tool didn't report,was a fifth vulnerability which does potentially affect Postgresql users:
CVE-2009-0846. This issue is described as: The asn1_decode_generaltime() function,which decodes DER encodings of the ASN.1 type "GeneralizedTime",can free an uninitialized pointer. This can cause a Kerberos application to crash,or,under theoretically possible but unlikely circumstances,execute arbitrary malicIoUs code.
As mentioned above,we currently ship the latest version of Kerberos with Postgresql. As soon as MIT update the Kerberos for Windows package to include Kerberos 1.6.4 (which does not have this issue),we will update the Postgresql build servers.
Postgresql 8.2.x
Postgresql 8.2 is built using Kerberos for Windows (KfW) 2.6.5 which is based on the Kerberos 1.3.5 package. This is the most recent version of Kerberos for Windows v2.6.x that is available from MIT and is no longer being maintained.
This version of Kerberos is believed to be vulnerable to the issue noted above ( CVE-2009-0846),as well as CVE-2005-1689,which describes a double-free bug in the krb5_recvauth function (but was not noted by the scanning tool that started this exercise)!
Updating Kerberos for Windows to version 3.2.2 in the Postgresql 8.2 distribution is the only way we can work around this issue,however,this is not as simple as it might sound as the distribution has changed in structure thus requiring modifications to the Postgresql installer to accommodate additional DLLs as well as any application installers that our users may have built around their libpq-based applications.
Because of the potential disruption to users and software developers for the sake of a feature used by such a small percentage of users,we have decided not to update the Postgresql 8.2 installer with the newer Kerberos packages but instead to recommend users of Postgresql 8.2 on Windows who wish to use Kerberos plan to upgrade their installations to Postgresql 8.3 or 8.4 as soon as possible.
原文地址:https://www.jb51.cc/postgresql/196977.html
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
