Summary: | <dev-db/postgresql-server-{8.2.22,8.3.16,8.4.9,9.0.5,9.1.1} Blowfish Signed-Character Bug (CVE-2011-2483) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aaron W. Swenson <titanofold> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mike, pgsql-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.postgresql.org/about/news.1355 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Aaron W. Swenson
2011-09-26 15:38:01 UTC
All needed ebuilds in tree, stabilization requested Thanks Aaron and Patrick. Arches, please test and mark stable: =dev-db/postgresql-server-8.2.22 =dev-db/postgresql-server-8.3.16 =dev-db/postgresql-server-8.4.9 =dev-db/postgresql-server-9.0.5 target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" =dev-db/postgresql-server-9.1.1 not needs stabilization. (In reply to comment #2) > Thanks Aaron and Patrick. > > Arches, please test and mark stable: > > =dev-db/postgresql-server-8.2.22 > =dev-db/postgresql-server-8.3.16 > =dev-db/postgresql-server-8.4.9 > =dev-db/postgresql-server-9.0.5 > > target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" > > > =dev-db/postgresql-server-9.1.1 not needs stabilization. -docs and -base of the same versions and revisions will be required as well, of course excluding 9.1.1. bug 384631 is not a blocker. amd64 ok Stable for HPPA. ppc/ppc64 stable amd64: pass x86 done. Thanks. alpha/arm/ia64/s390/sh/sparc stable amd64 done. Thanks Elijah and Agostino Thanks all, adding glsa vote request. Thanks, everyone. GLSA Vote: yes. Affected versions removed from tree. FYI guys 8.3.16 isn't stable on x86. (In reply to comment #14) > FYI guys 8.3.16 isn't stable on x86. Indeed, thanks, Mike. @x86, ping. Marked 8.3.16 x86 stable. It works for me on x86 as well on the workstation and the Hardened Server. (Both stable except for PostgreSQL.) (In reply to comment #16) > Marked 8.3.16 x86 stable. > > It works for me on x86 as well on the workstation and the Hardened Server. > (Both stable except for PostgreSQL.) Cool, tnx. CVE-2011-2483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483): crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash. GLSA with the other pgsql bugs This issue was resolved and addressed in GLSA 201110-22 at http://security.gentoo.org/glsa/glsa-201110-22.xml by GLSA coordinator Alex Legler (a3li). |