Debian Security Advisory
DSA-2340-1 postgresql-8.3, postgresql-8.4, postgresql-9.0 -- weak password hashing
- Date Reported:
- 07 Nov 2011
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 631285.
In Mitre's CVE dictionary: CVE-2011-2483.
- More information:
magnum discovered that the blowfish password hashing used amongst others in PostgreSQL contained a weakness that would give passwords with 8 bit characters the same hash as weaker equivalents.
For the oldstable distribution (lenny), this problem has been fixed in postgresql-8.3 version 8.3.16-0lenny1.
For the stable distribution (squeeze), this problem has been fixed in postgresql-8.4 version 8.4.9-0squeeze1.
For the testing distribution (wheezy) and unstable distribution (sid), this problem has been fixed in postgresql-8.4 version 8.4.9-1, postgresql-9.0 9.0.5-1 and postgresql-9.1 9.1~rc1-1.
The updates also include reliability improvements, originally scheduled for inclusion into the next point release; for details see the respective changelogs.
We recommend that you upgrade your postgresql packages.