Make Homepage | Add To Favorites | Print Page | Submit News | Feedback | Contact | 

Your Technical Computer Information Resource!  
  Technical Updates @ TACKtech Corp.  

05.30.2012 - Security Patch 2012-05-30

View PostgreSQL-Press related news.

Today the PHP, OpenBSD and FreeBSD communities announced updates to patch a security hole involving their crypt() hashing algorithms. This issue is described in CVE-2012-2143. This vulnerability also affects a minority of PostgreSQL users, and will be fixed in an update release on June 4, 2012.

Affected users are those who use the crypt(text, text) function with DES encryption in the optional pg_crypto module. Passwords affected are those that contain characters that cannot be represented with 7-bit ASCII. If a password contains a character that has the most significant bit set (0x80), and DES encryption is used, that character and all characters after it will be ignored.

Users of high-security applications who cannot wait for the update are recommended to do one of three things:

  • switch from using crypt() with DES to a more current encryption algorithm such as Blowfish.
  • download the patch, patch their own installations in source code form, reinstall pg_crypto, disconnect all sessions and restart them to reload the library or restart the server.
  • add a check to ensure that all passwords hashed with crypt() do not allow the value 0x80.

Note that users who patch their installations, or who apply the update on June 4th, may need to regenerate passwords for some or all of their application users due to the change in the hashing algorithm. Specifically, after the update, passwords containing 0x80 will no longer work.

The PostgreSQL Project regrets the inconvenience to our users. We are grateful to security researchers Robin Xu and Joseph Bonneau for discovering this issue.

For more information on the pg_crypto module, please see the documentation.

- Download PostgreSQL
- View Press Release
- Visit PostgreSQL

NID: 42169 / Submitted by: The Zilla of Zuron
Categories: Server Applications, Open Source, Press Release
Most recent PostgreSQL-Press related news.
Announcing the Release of OmniDB: Lightweight and Easy-to-Use Tool for Database Management
PostgreSQL Maestro 17.8 released. PostgreSQL 10 support and other new features.
PostgreSQL 10 Beta 3 Released!
2017-08-10 Security Update Release
PostgresOpen SV 2017 - Less than a month away!
View archive of PostgreSQL-Press related news.

Visit the TACKtech Shop
  Popular Tech News  
  Most Viewed News  
  Top Affiliates