CVE-2012-2143: Fix incorrect password transformation in contrib/pgcrypto’s DES crypt() function This vulnerability affects PostgreSQL users who use the crypt(text, text) function (in the optional pgcrypto module) with DES encryption and non-ASCII passwords. Passwords affected are those that contain the byte value 0x80. Characters after such a byte were ignored, making the effective password shorter and easier to crack than it should be. After the upgrade, any passwords containing such bytes will need to be regenerated. CVE-2012-2655: Ignore SECURITY DEFINER and SET attributes for a procedural language’s call handler Applying such attributes to a call handler could crash the server. Ebuilds for the new versions are WIP.
+ + 05 Jun 2012; Patrick Lauer <patrick@gentoo.org> + +postgresql-server-8.3.19.ebuild, +postgresql-server-8.4.12.ebuild, + +postgresql-server-9.0.8.ebuild, +postgresql-server-9.1.4.ebuild: + Bump for #419727 ebuilds are there, suggest the usual stabling.
Thanks, Patrick. Arches, please test and mark stable: =dev-db/postgresql-base-8.3.19 =dev-db/postgresql-server-8.3.19 =dev-db/postgresql-docs-8.3.19 =dev-db/postgresql-base-8.4.12 =dev-db/postgresql-server-8.4.12 =dev-db/postgresql-docs-8.4.12 =dev-db/postgresql-base-9.0.7 =dev-db/postgresql-server-9.0.7 =dev-db/postgresql-docs-9.0.7 =dev-db/postgresql-base-9.1.3 =dev-db/postgresql-server-9.1.3 =dev-db/postgresql-docs-9.1.3 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 stable
Stable for HPPA.
ppc64 done
x86 stable (9.0.8 and 9.1.4 instead of 9.0.7 and 9.1.3 from comment #2), thanks.
arm stable
alpha/arm/ia64/s390/sh/sparc stable
CVE-2012-2143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2143): The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
CVE-2012-2655 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2655): PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler.
Moving to [glsa]. PPC, please stabilize the newer versions from bug 431766 instead.
Affected versions no longer in tree.
This issue was resolved and addressed in GLSA 201209-24 at http://security.gentoo.org/glsa/glsa-201209-24.xml by GLSA coordinator Sean Amoss (ackle).