CVE-2012-2143: Fix incorrect password transformation in contrib/pgcrypto’s DES crypt() function
This vulnerability affects PostgreSQL users who use the crypt(text, text) function (in the optional pgcrypto module) with DES encryption and non-ASCII passwords. Passwords affected are those that contain the byte value 0x80. Characters after such a byte were ignored, making the effective password shorter and easier to crack than it should be. After the upgrade, any passwords containing such bytes will need to be regenerated.
CVE-2012-2655: Ignore SECURITY DEFINER and SET attributes for a procedural language’s call handler
Applying such attributes to a call handler could crash the server.
Ebuilds for the new versions are WIP.
+ 05 Jun 2012; Patrick Lauer <email@example.com>
+ +postgresql-server-8.3.19.ebuild, +postgresql-server-8.4.12.ebuild,
+ +postgresql-server-9.0.8.ebuild, +postgresql-server-9.1.4.ebuild:
+ Bump for #419727
ebuilds are there, suggest the usual stabling.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
x86 stable (9.0.8 and 9.1.4 instead of 9.0.7 and 9.1.3 from comment #2), thanks.
The crypt_des (aka DES-based crypt) function in FreeBSD before
9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not
process the complete cleartext password if this password contains a 0x80
character, which makes it easier for context-dependent attackers to obtain
access via an authentication attempt with an initial substring of the
intended password, as demonstrated by a Unicode password.
PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and
9.1.x before 9.1.4 allows remote authenticated users to cause a denial of
service (server crash) by adding the (1) SECURITY DEFINER or (2) SET
attributes to a procedural language's call handler.
Moving to [glsa]. PPC, please stabilize the newer versions from bug 431766 instead.
Affected versions no longer in tree.
This issue was resolved and addressed in
GLSA 201209-24 at http://security.gentoo.org/glsa/glsa-201209-24.xml
by GLSA coordinator Sean Amoss (ackle).