Debian DSA-2340-1 : postgresql-8.3, postgresql-8.4, postgresql-9.0 - weak password hashing
Medium Nessus Plugin ID 56730
SynopsisThe remote Debian host is missing a security-related update.
Descriptionmagnum discovered that the blowfish password hashing used amongst others in PostgreSQL contained a weakness that would give passwords with 8 bit characters the same hash as weaker equivalents.
SolutionUpgrade the postgresql packages.
For the oldstable distribution (lenny), this problem has been fixed in postgresql-8.3 version 8.3.16-0lenny1.
For the stable distribution (squeeze), this problem has been fixed in postgresql-8.4 version 8.4.9-0squeeze1.
The updates also include reliability improvements, originally scheduled for inclusion into the next point release; for details see the respective changelogs.