CVE-2011-2483

Priority
Description
crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain
platforms, PostgreSQL before 8.4.9, and other products, does not properly
handle 8-bit characters, which makes it easier for context-dependent
attackers to determine a cleartext password by leveraging knowledge of a
password hash.
Assigned-to
sbeattie
Notes
jdstrandlibcrypt-eksblowfish-perl not affected per Debian (fixed in 2007)
see redhat bug on php5 patches. A regression was introduced in 5.3.7
postgresql needs more than upstream patch
mdeslaursetting john priority to low, since it's not really a security
issue, and Ubuntu doesn't use blowfish hashes.
Package
Source: john (LP Ubuntu Debian)
Priority: Low
Upstream:released (1.7.8-1)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [1.7.8-1])
Patches:
Other:http://www.openwall.com/lists/john-dev/2011/06/19/3
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected)
Package
Source: php5 (LP Ubuntu Debian)
Upstream:released (5.3.6-13, 5.3.8-1)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (5.3.6-13ubuntu2)
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Package
Upstream:pending (8.4.9)
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Package
Upstream:pending (9.1~rc1-2)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [9.1~rc1-2])
Patches:
Upstream:http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ca59dfa6f727fe3bf3a01904ec30e87f7fa5a67e
More Information

Updated: 2020-03-18 22:06:36 UTC (commit 2ea7df7bd1e69e1e489978d2724a936eb3faa1b8)