5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
70.5%
Issue Overview:
A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. (CVE-2011-2483)
Note: Due to the CVE-2011-2483 fix, after installing this update some users may not be able to log in to applications that store user passwords, hashed with Blowfish using the PostgreSQL crypt() function, in a back-end PostgreSQL database. Unsafe processing can be re-enabled for specific passwords (allowing affected users to log in) by changing their hash prefix to “$2x$”.
Affected Packages:
postgresql
Issue Correction:
Run yum update postgresql to update your system.
New Packages:
i686:
postgresql-plperl-8.4.9-1.13.amzn1.i686
postgresql-libs-8.4.9-1.13.amzn1.i686
postgresql-devel-8.4.9-1.13.amzn1.i686
postgresql-docs-8.4.9-1.13.amzn1.i686
postgresql-contrib-8.4.9-1.13.amzn1.i686
postgresql-pltcl-8.4.9-1.13.amzn1.i686
postgresql-8.4.9-1.13.amzn1.i686
postgresql-server-8.4.9-1.13.amzn1.i686
postgresql-plpython-8.4.9-1.13.amzn1.i686
postgresql-debuginfo-8.4.9-1.13.amzn1.i686
postgresql-test-8.4.9-1.13.amzn1.i686
src:
postgresql-8.4.9-1.13.amzn1.src
x86_64:
postgresql-pltcl-8.4.9-1.13.amzn1.x86_64
postgresql-8.4.9-1.13.amzn1.x86_64
postgresql-plpython-8.4.9-1.13.amzn1.x86_64
postgresql-docs-8.4.9-1.13.amzn1.x86_64
postgresql-contrib-8.4.9-1.13.amzn1.x86_64
postgresql-plperl-8.4.9-1.13.amzn1.x86_64
postgresql-devel-8.4.9-1.13.amzn1.x86_64
postgresql-server-8.4.9-1.13.amzn1.x86_64
postgresql-libs-8.4.9-1.13.amzn1.x86_64
postgresql-test-8.4.9-1.13.amzn1.x86_64
postgresql-debuginfo-8.4.9-1.13.amzn1.x86_64
Red Hat: CVE-2011-2483
Mitre: CVE-2011-2483
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | postgresql-plperl | < 8.4.9-1.13.amzn1 | postgresql-plperl-8.4.9-1.13.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | postgresql-libs | < 8.4.9-1.13.amzn1 | postgresql-libs-8.4.9-1.13.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | postgresql-devel | < 8.4.9-1.13.amzn1 | postgresql-devel-8.4.9-1.13.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | postgresql-docs | < 8.4.9-1.13.amzn1 | postgresql-docs-8.4.9-1.13.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | postgresql-contrib | < 8.4.9-1.13.amzn1 | postgresql-contrib-8.4.9-1.13.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | postgresql-pltcl | < 8.4.9-1.13.amzn1 | postgresql-pltcl-8.4.9-1.13.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | postgresql | < 8.4.9-1.13.amzn1 | postgresql-8.4.9-1.13.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | postgresql-server | < 8.4.9-1.13.amzn1 | postgresql-server-8.4.9-1.13.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | postgresql-plpython | < 8.4.9-1.13.amzn1 | postgresql-plpython-8.4.9-1.13.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | postgresql-debuginfo | < 8.4.9-1.13.amzn1 | postgresql-debuginfo-8.4.9-1.13.amzn1.i686.rpm |