ALAS-2011-012 --- postgresqlID: oval:org.secpod.oval:def:1601237 | Date: (C)2020-11-27 (M)2024-04-29 |
Class: PATCH | Family: unix |
A signedness issue was found in the way the crypt function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. Note: Due to the CVE-2011-2483 fix, after installing this update some users may not be able to log in to applications that store user passwords, hashed with Blowfish using the PostgreSQL crypt function, in a back-end PostgreSQL database. Unsafe processing can be re-enabled for specific passwords by changing their hash prefix to "$2x$".
Platform: |
Amazon Linux AMI |