Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Database)  >   PostgreSQL Vendors:
PostgreSQL Postmaster Service Error in Processing Multiple Connections Lets Remote Users Block Subsequent Connections
SecurityTracker Alert ID:  1015482
SecurityTracker URL:
CVE Reference:   CVE-2006-0105   (Links to External Site)
Date:  Jan 12 2006
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.0.0 - 8.0.5,, 8.1.0 - 8.1.1
Description:   A vulnerability was reported in PostgreSQL. A remote user can cause denial of service conditions.

A remote user can generate a large number of simultaneous connection attempts to cause the postmaster process to incorrectly log a FATAL error and shut down. As a result, new connections are blocked. Existing connections are not affected.

The vendor was notified on December 22, 2005.

The vendor credits Yoshiyuki Asaba with reporting this vulnerability.

Impact:   A remote user can prevent new connections.
Solution:   The vendor has issued fixed versions (8.0.6, 8.1.2), available at:

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Date:  Wed, 11 Jan 2006 15:24:30 +0100
Subject:  PostgreSQL security releases 8.0.6 and 8.1.2

PostgreSQL versions 8.0.6 and 8.1.2 have been released fixing a remote 
denial of service vulnerability on the win32 platform.

Vulnerability type: Denial of service
Remotely exploitable: Yes

Affected versions: PostgreSQL 8.0.0-8.0.5, 8.1.0-8.1.1 Fixed versions: 
PostgreSQL 8.0.6, 8.1.2

Affected platforms: Win32
Non-affected platforms: All non-win32, including Unix, MacOS X and Cygwin.

CVE: CVE-2006-0105 

Vulnerability description
When the postmaster process detects too many attempted connections at 
the same time, it will incorrectly log a FATAL error and shut down. This 
will not affect existing processes, but will make it impossible to 
initiate new connections until the service is restarted.

This is a denial of service vulnerability only. As it is a standard 
emergency shutdown, it can not be exploited for remote code execution.

Upgrade to version 8.0.6 or 8.1.2 respectively, available from in both source and binary formats.

Implementing proper firewalling at the network and host level will help 
mitigate this vulnerability. No other workarounds are possible.

2005-12-22 - Vulnerability reported to
2005-12-23 - Patch created
2006-01-06 - Patch applied to main tree and new versions packaged
2006-01-09 - New versions announced

The PostgreSQL Global Development Group thanks Yoshiyuki Asaba for 
reporting this vulnerability.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2015, LLC