FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

databases/postgresql*-server -- crypt vulnerabilities

Affected packages
8.3.* < postgresql-server < 8.3.18_1
8.4.* < postgresql-server < 8.4.11_1
9.0.* < postgresql-server < 9.0.7_2
9.1.* < postgresql-server < 9.1.3_1
9.2.* < postgresql-server < 9.2.b1_1

Details

VuXML ID a8864f8f-aa9e-11e1-a284-0023ae8e59f0
Discovery 2012-05-30
Entry 2012-05-30
Modified 2012-05-31

The PostgreSQL Global Development Group reports:

Today the PHP, OpenBSD and FreeBSD communities announced updates to patch a security hole involving their crypt() hashing algorithms. This issue is described in CVE-2012-2143. This vulnerability also affects a minority of PostgreSQL users, and will be fixed in an update release on June 4, 2012.

Affected users are those who use the crypt(text, text) function with DES encryption in the optional pg_crypto module. Passwords affected are those that contain characters that cannot be represented with 7-bit ASCII. If a password contains a character that has the most significant bit set (0x80), and DES encryption is used, that character and all characters after it will be ignored.

References

CVE Name CVE-2012-2143
URL http://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=932ded2ed51e8333852e370c7a6dad75d9f236f9
URL http://www.postgresql.org/about/news/1397/