Debian Bug report logs - #631286
CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash

version graph

Package: src:php5; Maintainer for src:php5 is (unknown);

Reported by: Luciano Bello <luciano@debian.org>

Date: Wed, 22 Jun 2011 15:00:01 UTC

Severity: serious

Tags: security, sid, squeeze, wheezy

Merged with 631347

Fixed in version php5/5.3.6-13

Done: Ondřej Surý <ondrej@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>:
Bug#631285; Package postgresql. (Wed, 22 Jun 2011 15:00:05 GMT) (full text, mbox, link).

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Martin Pitt <mpitt@debian.org>. (Wed, 22 Jun 2011 15:00:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash
Date: Wed, 22 Jun 2011 11:57:06 -0300
Package: postgresql
Severity: serious
Tags: security

Hi,
A bug in crypt_blowfish was reported [1,2,3]. The function BF_set_key in 
postgresql is vulnerable. The RH report [4] may be useful too. Upstream already 
has a patch[5].

Please, considerer providing patches for stable and oldstable too.

The CVE (Common Vulnerabilities & Exposures) assigned is CVE-2011-2483.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

[1] http://www.openwall.com/lists/oss-security/2011/06/20/2
[2] http://www.openwall.com/lists/john-dev/2011/06/20/3
[3] http://www.openwall.com/lists/john-dev/2011/06/20/5
[4] https://bugzilla.redhat.com/show_bug.cgi?id=715025
[5] 
http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=ca59dfa6f727fe3bf3a01904ec30e87f7fa5a67e

-luciano

Bug 631285 cloned as bug 631286. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Wed, 22 Jun 2011 15:09:07 GMT) (full text, mbox, link).

Bug reassigned from package 'postgresql' to 'src:php5'. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Wed, 22 Jun 2011 15:09:10 GMT) (full text, mbox, link).

Added tag(s) sid, squeeze, and wheezy. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Thu, 23 Jun 2011 05:45:07 GMT) (full text, mbox, link).

Forcibly Merged 631286 631347. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Thu, 23 Jun 2011 06:27:05 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 02 Aug 2011 07:34:37 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:26:44 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.