Lucene search

HistoryOct 17, 2011 - 12:00 a.m.

(RHSA-2011:1378) Moderate: postgresql84 security update






PostgreSQL is an advanced object-relational database management system

A signedness issue was found in the way the crypt() function in the
PostgreSQL pgcrypto module handled 8-bit characters in passwords when using
Blowfish hashing. Up to three characters immediately preceding a non-ASCII
character (one with the high bit set) had no effect on the hash result,
thus shortening the effective password length. This made brute-force
guessing more efficient as several different passwords were hashed to the
same value. (CVE-2011-2483)

Note: Due to the CVE-2011-2483 fix, after installing this update some users
may not be able to log in to applications that store user passwords, hashed
with Blowfish using the PostgreSQL crypt() function, in a back-end
PostgreSQL database. Unsafe processing can be re-enabled for specific
passwords (allowing affected users to log in) by changing their hash prefix
to “$2x$”.

These updated postgresql84 packages upgrade PostgreSQL to version 8.4.9.
Refer to the PostgreSQL Release Notes for a full list of changes:

All PostgreSQL users are advised to upgrade to these updated packages,
which correct this issue. If the postgresql service is running, it will be
automatically restarted after installing this update.