Kerberos support in PostgreSQL on Windows
来源:互联网 发布:java与android的区别 编辑:程序博客网 时间:2024/06/05 01:51
http://pgsnake.blogspot.com/2009/12/kerberos-support-in-postgresql-on.html
Kerberos support in PostgreSQL on Windows
We recently received a report of some automated security scanning software red-flagging the Kerberos DLLs that ship with the PostgreSQL installers for Windows. This blog post is an analysis of the impact of know vulnerabilities in Kerberos, and how they relate to PostgreSQL, and what we're doing about them.
PostgreSQL 8.3.x and 8.4.x
PostgreSQL 8.3 and 8.4 are built using Kerberos for Windows (KfW) 3.2.2 which is based on the Kerberos 1.6.3 package. This is the latest version of Kerberos for Windows that is currently available from MIT.
The vulnerabilities that were reported by the security scanning tool were:
CVE-2008-0062 and CVE-2008-0063. These are bugs in the KDC server which are exposed if Kerberos 4 is enabled on a v5 KDC. As we don't ship the KDC software with PostgreSQL, these bugs do not apply.
CVE-2008-0947 and CVE-2008-0948. These are bugs in kadmind, the Kerberos Administration Server. We don't ship this either, so like the previous bugs, these do not apply to PostgreSQL.
What the scanning tool didn't report, was a fifth vulnerability which does potentially affect PostgreSQL users:
CVE-2009-0846. This issue is described as: The asn1_decode_generaltime() function, which decodes DER encodings of the ASN.1 type "GeneralizedTime", can free an uninitialized pointer. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code.
As mentioned above, we currently ship the latest version of Kerberos with PostgreSQL. As soon as MIT update the Kerberos for Windows package to include Kerberos 1.6.4 (which does not have this issue), we will update the PostgreSQL build servers.
PostgreSQL 8.2.x
PostgreSQL 8.2 is built using Kerberos for Windows (KfW) 2.6.5 which is based on the Kerberos 1.3.5 package. This is the most recent version of Kerberos for Windows v2.6.x that is available from MIT and is no longer being maintained.
This version of Kerberos is believed to be vulnerable to the issue noted above (CVE-2009-0846), as well as CVE-2005-1689, which describes a double-free bug in the krb5_recvauth function (but was not noted by the scanning tool that started this exercise)!
Updating Kerberos for Windows to version 3.2.2 in the PostgreSQL 8.2 distribution is the only way we can work around this issue, however, this is not as simple as it might sound as the distribution has changed in structure thus requiring modifications to the PostgreSQL installer to accommodate additional DLLs as well as any application installers that our users may have built around their libpq-based applications.
Because of the potential disruption to users and software developers for the sake of a feature used by such a small percentage of users, we have decided not to update the PostgreSQL 8.2 installer with the newer Kerberos packages but instead to recommend users of PostgreSQL 8.2 on Windows who wish to use Kerberos plan to upgrade their installations to PostgreSQL 8.3 or 8.4 as soon as possible.
PostgreSQL 8.3.x and 8.4.x
PostgreSQL 8.3 and 8.4 are built using Kerberos for Windows (KfW) 3.2.2 which is based on the Kerberos 1.6.3 package. This is the latest version of Kerberos for Windows that is currently available from MIT.
The vulnerabilities that were reported by the security scanning tool were:
CVE-2008-0062 and CVE-2008-0063. These are bugs in the KDC server which are exposed if Kerberos 4 is enabled on a v5 KDC. As we don't ship the KDC software with PostgreSQL, these bugs do not apply.
CVE-2008-0947 and CVE-2008-0948. These are bugs in kadmind, the Kerberos Administration Server. We don't ship this either, so like the previous bugs, these do not apply to PostgreSQL.
What the scanning tool didn't report, was a fifth vulnerability which does potentially affect PostgreSQL users:
CVE-2009-0846. This issue is described as: The asn1_decode_generaltime() function, which decodes DER encodings of the ASN.1 type "GeneralizedTime", can free an uninitialized pointer. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code.
As mentioned above, we currently ship the latest version of Kerberos with PostgreSQL. As soon as MIT update the Kerberos for Windows package to include Kerberos 1.6.4 (which does not have this issue), we will update the PostgreSQL build servers.
PostgreSQL 8.2.x
PostgreSQL 8.2 is built using Kerberos for Windows (KfW) 2.6.5 which is based on the Kerberos 1.3.5 package. This is the most recent version of Kerberos for Windows v2.6.x that is available from MIT and is no longer being maintained.
This version of Kerberos is believed to be vulnerable to the issue noted above (CVE-2009-0846), as well as CVE-2005-1689, which describes a double-free bug in the krb5_recvauth function (but was not noted by the scanning tool that started this exercise)!
Updating Kerberos for Windows to version 3.2.2 in the PostgreSQL 8.2 distribution is the only way we can work around this issue, however, this is not as simple as it might sound as the distribution has changed in structure thus requiring modifications to the PostgreSQL installer to accommodate additional DLLs as well as any application installers that our users may have built around their libpq-based applications.
Because of the potential disruption to users and software developers for the sake of a feature used by such a small percentage of users, we have decided not to update the PostgreSQL 8.2 installer with the newer Kerberos packages but instead to recommend users of PostgreSQL 8.2 on Windows who wish to use Kerberos plan to upgrade their installations to PostgreSQL 8.3 or 8.4 as soon as possible.
- Kerberos support in PostgreSQL on Windows
- Build Kerberos on windows
- Single Sign-on Using Kerberos in Java
- Single Sign-on Using Kerberos in Java
- postgreSql on windows
- ArcSDE 10.1 for PostgreSQL on Windows安装
- postgresql 安装教程 带图 on windows
- Support of basic operations on Sets in Dynamics AX
- Single Sign On with Kerberos
- Jmeter DO NOT support windows authentication on sharepoint
- Who is in me? -- Freeware on Windows
- using cppunit in eclipse ide on windows
- 配置ctags cscope on gvim in windows
- Java in PowerShell on Windows 10
- Using MySQL in Qt5.7 on Windows
- PostgreSQL 9.1: Installing plpythonu/plpython3u (Python) in Windows
- ODB hello world example using PostgreSQL in windows
- Single Sign On using LDAP + Kerberos
- 浅谈对象在Hibernate中的状态
- BSTR详解
- jquery 验证框架的一点实战总结
- Java中的堆内存与栈内存分配浅析
- 玻璃的革命
- Kerberos support in PostgreSQL on Windows
- 编写高效的java线程安全类
- Struts2下使用Common-FileUpload实现文件上传
- spring security
- 有利于版本管理的代码格式
- 借光转载mac的特殊按键
- MySQL中varchar最大长度是多少?
- oarcle lag()分析函数
- 做山寨,更要有原则和自己的特色