CVE-2011-2483
Published: 25 August 2011
crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.
Notes
| Author | Note |
|---|---|
| jdstrand | libcrypt-eksblowfish-perl not affected per Debian (fixed in 2007) see redhat bug on php5 patches. A regression was introduced in 5.3.7 postgresql needs more than upstream patch |
| mdeslaur | setting john priority to low, since it's not really a security issue, and Ubuntu doesn't use blowfish hashes. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
john Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Ignored
(end of life)
|
|
| maverick |
Ignored
(end of life)
|
|
| natty |
Ignored
(end of life)
|
|
| oneiric |
Not vulnerable
(1.7.8-1)
|
|
| precise |
Not vulnerable
(1.7.8-1)
|
|
| quantal |
Not vulnerable
(1.7.8-1)
|
|
| raring |
Not vulnerable
(1.7.8-1)
|
|
| saucy |
Not vulnerable
(1.7.8-1)
|
|
| trusty |
Does not exist
(trusty was not-affected [1.7.8-1])
|
|
| upstream |
Released
(1.7.8-1)
|
|
| utopic |
Not vulnerable
(1.7.8-1)
|
|
| vivid |
Not vulnerable
(1.7.8-1)
|
|
|
Patches: other: http://www.openwall.com/lists/john-dev/2011/06/19/3 |
||
|
libcrypt-eksblowfish-perl Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
|
| lucid |
Not vulnerable
|
|
| maverick |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| quantal |
Not vulnerable
|
|
| raring |
Not vulnerable
|
|
| saucy |
Not vulnerable
|
|
| trusty |
Does not exist
(trusty was not-affected)
|
|
| upstream |
Needs triage
|
|
| utopic |
Not vulnerable
|
|
| vivid |
Not vulnerable
|
|
|
php5 Launchpad, Ubuntu, Debian |
hardy |
Released
(5.2.4-2ubuntu5.18)
|
| lucid |
Released
(5.3.2-1ubuntu4.10)
|
|
| maverick |
Released
(5.3.3-1ubuntu9.6)
|
|
| natty |
Released
(5.3.5-1ubuntu7.3)
|
|
| oneiric |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
| precise |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
| quantal |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
| raring |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
| saucy |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
| trusty |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
| upstream |
Released
(5.3.6-13, 5.3.8-1)
|
|
| utopic |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
| vivid |
Not vulnerable
(5.3.6-13ubuntu2)
|
|
|
postgresql-8.2 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| saucy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
|
postgresql-8.3 Launchpad, Ubuntu, Debian |
hardy |
Released
(8.3.16-0ubuntu0.8.04)
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| saucy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
|
postgresql-8.4 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Released
(8.4.9-0ubuntu0.10.04)
|
|
| maverick |
Released
(8.4.9-0ubuntu0.10.10)
|
|
| natty |
Released
(8.4.9-0ubuntu0.11.04)
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Not vulnerable
(8.4.11-1)
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| saucy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Pending
(8.4.9)
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
|
postgresql-9.1 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Not vulnerable
(9.1~rc1-2)
|
|
| precise |
Not vulnerable
(9.1~rc1-2)
|
|
| quantal |
Not vulnerable
(9.1~rc1-2)
|
|
| raring |
Not vulnerable
(9.1~rc1-2)
|
|
| saucy |
Not vulnerable
(9.1~rc1-2)
|
|
| trusty |
Does not exist
(trusty was not-affected [9.1~rc1-2])
|
|
| upstream |
Pending
(9.1~rc1-2)
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
|
Patches: upstream: http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ca59dfa6f727fe3bf3a01904ec30e87f7fa5a67e |
||
References
- https://ubuntu.com/security/notices/USN-1229-1
- https://ubuntu.com/security/notices/USN-1231-1
- https://www.cve.org/CVERecord?id=CVE-2011-2483
- NVD
- Launchpad
- Debian
Bugs
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631347 (php5)
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631285 (postgresql)
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631283 (php5-suhosin)
- http://www.openwall.com/lists/oss-security/2011/06/20/2
- http://www.openwall.com/lists/john-dev/2011/06/20/3
- http://www.openwall.com/lists/john-dev/2011/06/20/5
- https://bugzilla.redhat.com/show_bug.cgi?id=715025
- http://www.php.net/archive/2011.php#id2011-08-18-1