Security Information / 2011 / Security Information -- DSA-2340-1 postgresql-8.3, postgresql-8.4, postgresql-9.0

Debian Security Advisory

DSA-2340-1 postgresql-8.3, postgresql-8.4, postgresql-9.0 -- weak password hashing

Date Reported:

07 Nov 2011

Affected Packages:

postgresql-8.3
postgresql-8.4
postgresql-9.0

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 631285.
In Mitre's CVE dictionary: CVE-2011-2483.

More information:

magnum discovered that the blowfish password hashing used amongst others in PostgreSQL contained a weakness that would give passwords with 8 bit characters the same hash as weaker equivalents.

For the oldstable distribution (lenny), this problem has been fixed in postgresql-8.3 version 8.3.16-0lenny1.

For the stable distribution (squeeze), this problem has been fixed in postgresql-8.4 version 8.4.9-0squeeze1.

For the testing distribution (wheezy) and unstable distribution (sid), this problem has been fixed in postgresql-8.4 version 8.4.9-1, postgresql-9.0 9.0.5-1 and postgresql-9.1 9.1~rc1-1.

The updates also include reliability improvements, originally scheduled for inclusion into the next point release; for details see the respective changelogs.

We recommend that you upgrade your postgresql packages.