LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

October 2011

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA October 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Moderate: postgresql84 on SL5.x i386/x86_64
From:	Pat Riehecky <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Tue, 18 Oct 2011 15:30:17 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (67 lines)

Synopsis:    Moderate: postgresql84 security update
Issue Date:  2011-10-17
CVE Numbers: CVE-2011-2483


PostgreSQL is an advanced object-relational database management system
(DBMS).

A signedness issue was found in the way the crypt() function in the
PostgreSQL pgcrypto module handled 8-bit characters in passwords when using
Blowfish hashing. Up to three characters immediately preceding a non-ASCII
character (one with the high bit set) had no effect on the hash result,
thus shortening the effective password length. This made brute-force
guessing more efficient as several different passwords were hashed to the
same value. (CVE-2011-2483)

Note: Due to the CVE-2011-2483 fix, after installing this update some users
may not be able to log in to applications that store user passwords, hashed
with Blowfish using the PostgreSQL crypt() function, in a back-end
PostgreSQL database. Unsafe processing can be re-enabled for specific
passwords (allowing affected users to log in) by changing their hash prefix
to "$2x$".

These updated postgresql84 packages upgrade PostgreSQL to version 8.4.9.
Refer to the PostgreSQL Release Notes for a full list of changes:

http://www.postgresql.org/docs/8.4/static/release.html

All PostgreSQL users are advised to upgrade to these updated packages,
which correct this issue. If the postgresql service is running, it will be
automatically restarted after installing this update.

SL5:
  i386
     postgresql84-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-contrib-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-debuginfo-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-devel-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-docs-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-libs-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-plperl-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-plpython-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-pltcl-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-python-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-server-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-tcl-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-test-8.4.9-1.el5_7.1.i386.rpm
  x86_64
     postgresql84-8.4.9-1.el5_7.1.x86_64.rpm
     postgresql84-contrib-8.4.9-1.el5_7.1.x86_64.rpm
     postgresql84-debuginfo-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-debuginfo-8.4.9-1.el5_7.1.x86_64.rpm
     postgresql84-devel-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-devel-8.4.9-1.el5_7.1.x86_64.rpm
     postgresql84-docs-8.4.9-1.el5_7.1.x86_64.rpm
     postgresql84-libs-8.4.9-1.el5_7.1.i386.rpm
     postgresql84-libs-8.4.9-1.el5_7.1.x86_64.rpm
     postgresql84-plperl-8.4.9-1.el5_7.1.x86_64.rpm
     postgresql84-plpython-8.4.9-1.el5_7.1.x86_64.rpm
     postgresql84-pltcl-8.4.9-1.el5_7.1.x86_64.rpm
     postgresql84-python-8.4.9-1.el5_7.1.x86_64.rpm
     postgresql84-server-8.4.9-1.el5_7.1.x86_64.rpm
     postgresql84-tcl-8.4.9-1.el5_7.1.x86_64.rpm
     postgresql84-test-8.4.9-1.el5_7.1.x86_64.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV