CVE-2012-2655

Related Files

Gentoo Linux Security Advisory 201209-24

Posted Sep 28, 2012

Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201209-24 - Multiple vulnerabilities have been found in PostgreSQL which may allow a remote attacker to conduct several attacks. Versions less than 9.1.5 are affected.

tags | advisory, remote, vulnerability

systems | linux, gentoo

advisories | CVE-2012-0866, CVE-2012-0867, CVE-2012-0868, CVE-2012-2143, CVE-2012-2655, CVE-2012-3488, CVE-2012-3489

SHA-256 | aadd0a998d1f2db81a1c115cf7617428cb68b328b2051e91f2e2de0940ce8305

Download | Favorite | View

Red Hat Security Advisory 2012-1037-01

Posted Jun 25, 2012

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2012-1037-01 - PostgreSQL is an advanced object-relational database management system. A flaw was found in the way the crypt() password hashing function from the optional PostgreSQL pgcrypto contrib module performed password transformation when used with the DES algorithm. If the password string to be hashed contained the 0x80 byte value, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. This made brute-force guessing more efficient as the whole password was not required to gain access to protected resources.

tags | advisory

systems | linux, redhat

advisories | CVE-2012-2143, CVE-2012-2655

SHA-256 | 43dd84d900e99c3f1b88175c8d6cb0d767071c6eb772b1ec31adf8ed1f003585

Download | Favorite | View

Mandriva Linux Security Advisory 2012-092

Posted Jun 16, 2012

Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2012-092 - Multiple vulnerabilities has been discovered and corrected in postgresql. Fix incorrect password transformation in contrib/pgcrypto's DES crypt() function (Solar Designer). If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane). Applying such attributes to a call handler could crash the server. This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues.

tags | advisory, vulnerability

systems | linux, mandriva

advisories | CVE-2012-2143, CVE-2012-2655

SHA-256 | 1edfeb5c298d59aca21fc94dd3d94074bf90df118aaad1545a26a577513db22c

Download | Favorite | View

Debian Security Advisory 2491-1

Posted Jun 11, 2012

Authored by Debian | Site debian.org

Debian Linux Security Advisory 2491-1 - Two vulnerabilities were discovered in PostgreSQL, an SQL database server.

tags | advisory, vulnerability

systems | linux, debian

advisories | CVE-2012-2143, CVE-2012-2655

SHA-256 | 08cee1118490a95890ce39cec136e45a1e76b0f30a416aecbf838f863b61cc51

Download | Favorite | View

Ubuntu Security Notice USN-1461-1

Posted Jun 5, 2012

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1461-1 - It was discovered that PostgreSQL incorrectly handled certain bytes passed to the crypt() function when using DES encryption. An attacker could use this flaw to incorrectly handle authentication. It was discovered that PostgreSQL incorrectly handled SECURITY DEFINER and SET attributes on procedural call handlers. An attacker could use this flaw to cause PostgreSQL to crash, leading to a denial of service. Various other issues were also addressed.

tags | advisory, denial of service

systems | linux, ubuntu

advisories | CVE-2012-2143, CVE-2012-2655, CVE-2012-2143, CVE-2012-2655

SHA-256 | d480f4d0c7f143e0107319fc134d8cf735ea4e8f2d1e69b46c520248589c93c4

Download | Favorite | View