====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN238
____________________________________________________________________

DATE                : 31/05/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PostgreSQL.

======================================================================
http://www.postgresql.org/about/news/1397/
______________________________________________________________________

Security Patch 2012-05-30

Posted on 2012-05-30

Today the PHP, OpenBSD and FreeBSD communities announced updates to
patch a security hole involving their crypt() hashing algorithms. This
issue is described in CVE-2012-2143. This vulnerability also affects a
minority of PostgreSQL users, and will be fixed in an update release on
June 4, 2012.

Affected users are those who use the crypt(text, text) function with
DES encryption in the optional pg_crypto module. Passwords affected are
those that contain characters that cannot be represented with 7-bit
ASCII. If a password contains a character that has the most significant
bit set (0x80), and DES encryption is used, that character and all
characters after it will be ignored.

Users of high-security applications who cannot wait for the update are
recommended to do one of three things:

switch from using crypt() with DES to a more current encryption
algorithm such as Blowfish.
download the patch, patch their own installations in source code form,
reinstall pg_crypto, disconnect all sessions and restart them to reload
the library or restart the server.
add a check to ensure that all passwords hashed with crypt() do not
allow the value 0x80.
Note that users who patch their installations, or who apply the update
on June 4th, may need to regenerate passwords for some or all of their
application users due to the change in the hashing algorithm.
Specifically, after the update, passwords containing 0x80 will no
longer work.

The PostgreSQL Project regrets the inconvenience to our users. We are
grateful to security researchers Robin Xu and Joseph Bonneau for
discovering this issue.

For more information on the pg_crypto module, please see the
documentation.



======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================