SB2012070321 - Cryptographic issues in postgresql (Alpine package)
Published: July 3, 2012
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cryptographic issues (CVE-ID: CVE-2012-2143)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. As per: http://git.php.net/?p=php-src.git;a=commitdiff;h=aab49e934de1fff046e659cbec46e3d053b41c34 and http://git.php.net/?p=php-src.git;a=commitdiff_plain;h=aab49e934de1fff046e659cbec46e3d053b41c34 PHP 5.3.13 and earlier are vulnerable.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=1c5310eff360085f33d17aad26ce9569a42419e7
- https://git.alpinelinux.org/aports/commit/?id=cd8669403fa9d39f9b385aaee42d8da3d1db20ff
- https://git.alpinelinux.org/aports/commit/?id=f295698d5f7474db0c9ec0b7d39c289f482e188f
- https://git.alpinelinux.org/aports/commit/?id=24f74765563bb229a7b0696522028620adef00d4