CVE-2011-2483
Published: 25 August 2011
crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.
Notes
Author | Note |
---|---|
jdstrand |
libcrypt-eksblowfish-perl not affected per Debian (fixed in 2007) see redhat bug on php5 patches. A regression was introduced in 5.3.7 postgresql needs more than upstream patch |
mdeslaur |
setting john priority to low, since it's not really a security issue, and Ubuntu doesn't use blowfish hashes. |
Priority
Status
Package | Release | Status |
---|---|---|
john
Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
(end of life)
|
|
maverick |
Ignored
(end of life)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Not vulnerable
(1.7.8-1)
|
|
precise |
Not vulnerable
(1.7.8-1)
|
|
quantal |
Not vulnerable
(1.7.8-1)
|
|
raring |
Not vulnerable
(1.7.8-1)
|
|
saucy |
Not vulnerable
(1.7.8-1)
|
|
trusty |
Does not exist
(trusty was not-affected [1.7.8-1])
|
|
upstream |
Released
(1.7.8-1)
|
|
utopic |
Not vulnerable
(1.7.8-1)
|
|
vivid |
Not vulnerable
(1.7.8-1)
|
|
Patches:
other: http://www.openwall.com/lists/john-dev/2011/06/19/3 |
||
libcrypt-eksblowfish-perl
Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
|
lucid |
Not vulnerable
|
|
maverick |
Not vulnerable
|
|
natty |
Not vulnerable
|
|
oneiric |
Not vulnerable
|
|
precise |
Not vulnerable
|
|
quantal |
Not vulnerable
|
|
raring |
Not vulnerable
|
|
saucy |
Not vulnerable
|
|
trusty |
Does not exist
(trusty was not-affected)
|
|
upstream |
Needs triage
|
|
utopic |
Not vulnerable
|
|
vivid |
Not vulnerable
|
|
php5
Launchpad, Ubuntu, Debian |
hardy |
Released
(5.2.4-2ubuntu5.18)
|
lucid |
Released
(5.3.2-1ubuntu4.10)
|
|
maverick |
Released
(5.3.3-1ubuntu9.6)
|
|
natty |
Released
(5.3.5-1ubuntu7.3)
|
|
oneiric |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
precise |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
quantal |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
raring |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
saucy |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
trusty |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
upstream |
Released
(5.3.6-13, 5.3.8-1)
|
|
utopic |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
vivid |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
postgresql-8.2
Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
saucy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
postgresql-8.3
Launchpad, Ubuntu, Debian |
hardy |
Released
(8.3.16-0ubuntu0.8.04)
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
saucy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
postgresql-8.4
Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Released
(8.4.9-0ubuntu0.10.04)
|
|
maverick |
Released
(8.4.9-0ubuntu0.10.10)
|
|
natty |
Released
(8.4.9-0ubuntu0.11.04)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Not vulnerable
(8.4.11-1)
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
saucy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Pending
(8.4.9)
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
postgresql-9.1
Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Not vulnerable
(9.1~rc1-2)
|
|
precise |
Not vulnerable
(9.1~rc1-2)
|
|
quantal |
Not vulnerable
(9.1~rc1-2)
|
|
raring |
Not vulnerable
(9.1~rc1-2)
|
|
saucy |
Not vulnerable
(9.1~rc1-2)
|
|
trusty |
Does not exist
(trusty was not-affected [9.1~rc1-2])
|
|
upstream |
Pending
(9.1~rc1-2)
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
Patches:
upstream: http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ca59dfa6f727fe3bf3a01904ec30e87f7fa5a67e |
References
- https://ubuntu.com/security/notices/USN-1229-1
- https://ubuntu.com/security/notices/USN-1231-1
- https://www.cve.org/CVERecord?id=CVE-2011-2483
- NVD
- Launchpad
- Debian
Bugs
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631347 (php5)
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631285 (postgresql)
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631283 (php5-suhosin)
- http://www.openwall.com/lists/oss-security/2011/06/20/2
- http://www.openwall.com/lists/john-dev/2011/06/20/3
- http://www.openwall.com/lists/john-dev/2011/06/20/5
- https://bugzilla.redhat.com/show_bug.cgi?id=715025
- http://www.php.net/archive/2011.php#id2011-08-18-1