Gentoo Linux Security Advisory 201209-24 - Multiple vulnerabilities have been found in PostgreSQL which may allow a remote attacker to conduct several attacks. Versions less than 9.1.5 are affected.
aadd0a998d1f2db81a1c115cf7617428cb68b328b2051e91f2e2de0940ce8305Red Hat Security Advisory 2012-1037-01 - PostgreSQL is an advanced object-relational database management system. A flaw was found in the way the crypt() password hashing function from the optional PostgreSQL pgcrypto contrib module performed password transformation when used with the DES algorithm. If the password string to be hashed contained the 0x80 byte value, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. This made brute-force guessing more efficient as the whole password was not required to gain access to protected resources.
43dd84d900e99c3f1b88175c8d6cb0d767071c6eb772b1ec31adf8ed1f003585Mandriva Linux Security Advisory 2012-092 - Multiple vulnerabilities has been discovered and corrected in postgresql. Fix incorrect password transformation in contrib/pgcrypto's DES crypt() function (Solar Designer). If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane). Applying such attributes to a call handler could crash the server. This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues.
1edfeb5c298d59aca21fc94dd3d94074bf90df118aaad1545a26a577513db22cDebian Linux Security Advisory 2491-1 - Two vulnerabilities were discovered in PostgreSQL, an SQL database server.
08cee1118490a95890ce39cec136e45a1e76b0f30a416aecbf838f863b61cc51Ubuntu Security Notice 1461-1 - It was discovered that PostgreSQL incorrectly handled certain bytes passed to the crypt() function when using DES encryption. An attacker could use this flaw to incorrectly handle authentication. It was discovered that PostgreSQL incorrectly handled SECURITY DEFINER and SET attributes on procedural call handlers. An attacker could use this flaw to cause PostgreSQL to crash, leading to a denial of service. Various other issues were also addressed.
d480f4d0c7f143e0107319fc134d8cf735ea4e8f2d1e69b46c520248589c93c4
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed