Your submission was sent successfully! Close

CVE-2011-2483

Published: 25 August 2011

crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.

Notes

AuthorNote
jdstrand
libcrypt-eksblowfish-perl not affected per Debian (fixed in 2007)
see redhat bug on php5 patches. A regression was introduced in 5.3.7
postgresql needs more than upstream patch
mdeslaur
setting john priority to low, since it's not really a security
issue, and Ubuntu doesn't use blowfish hashes.
Priority

Medium

Status

Package Release Status
john
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid Ignored
(reached end-of-life)
maverick Ignored
(reached end-of-life)
natty Ignored
(reached end-of-life)
oneiric Not vulnerable
(1.7.8-1)
precise Not vulnerable
(1.7.8-1)
quantal Not vulnerable
(1.7.8-1)
raring Not vulnerable
(1.7.8-1)
saucy Not vulnerable
(1.7.8-1)
trusty Does not exist
(trusty was not-affected [1.7.8-1])
upstream
Released (1.7.8-1)
utopic Not vulnerable
(1.7.8-1)
vivid Not vulnerable
(1.7.8-1)
Patches:
other: http://www.openwall.com/lists/john-dev/2011/06/19/3

libcrypt-eksblowfish-perl
Launchpad, Ubuntu, Debian
hardy Not vulnerable

lucid Not vulnerable

maverick Not vulnerable

natty Not vulnerable

oneiric Not vulnerable

precise Not vulnerable

quantal Not vulnerable

raring Not vulnerable

saucy Not vulnerable

trusty Does not exist
(trusty was not-affected)
upstream Needs triage

utopic Not vulnerable

vivid Not vulnerable

php5
Launchpad, Ubuntu, Debian
hardy
Released (5.2.4-2ubuntu5.18)
lucid
Released (5.3.2-1ubuntu4.10)
maverick
Released (5.3.3-1ubuntu9.6)
natty
Released (5.3.5-1ubuntu7.3)
oneiric Not vulnerable
(5.3.6-13ubuntu2)
precise Not vulnerable
(5.3.6-13ubuntu2)
quantal Not vulnerable
(5.3.6-13ubuntu2)
raring Not vulnerable
(5.3.6-13ubuntu2)
saucy Not vulnerable
(5.3.6-13ubuntu2)
trusty Not vulnerable
(5.3.6-13ubuntu2)
upstream
Released (5.3.6-13, 5.3.8-1)
utopic Not vulnerable
(5.3.6-13ubuntu2)
vivid Not vulnerable
(5.3.6-13ubuntu2)
postgresql-8.2
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

precise Does not exist

quantal Does not exist

raring Does not exist

saucy Does not exist

trusty Does not exist

upstream Needs triage

utopic Does not exist

vivid Does not exist

postgresql-8.3
Launchpad, Ubuntu, Debian
hardy
Released (8.3.16-0ubuntu0.8.04)
lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

precise Does not exist

quantal Does not exist

raring Does not exist

saucy Does not exist

trusty Does not exist

upstream Needs triage

utopic Does not exist

vivid Does not exist

postgresql-8.4
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (8.4.9-0ubuntu0.10.04)
maverick
Released (8.4.9-0ubuntu0.10.10)
natty
Released (8.4.9-0ubuntu0.11.04)
oneiric Ignored
(reached end-of-life)
precise Not vulnerable
(8.4.11-1)
quantal Does not exist

raring Does not exist

saucy Does not exist

trusty Does not exist

upstream Pending
(8.4.9)
utopic Does not exist

vivid Does not exist

postgresql-9.1
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Not vulnerable
(9.1~rc1-2)
precise Not vulnerable
(9.1~rc1-2)
quantal Not vulnerable
(9.1~rc1-2)
raring Not vulnerable
(9.1~rc1-2)
saucy Not vulnerable
(9.1~rc1-2)
trusty Does not exist
(trusty was not-affected [9.1~rc1-2])
upstream Pending
(9.1~rc1-2)
utopic Does not exist

vivid Does not exist

Patches:

upstream: http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ca59dfa6f727fe3bf3a01904ec30e87f7fa5a67e