FreeBSD : databases/postgresql*-server -- crypt vulnerabilities (a8864f8f-aa9e-11e1-a284-0023ae8e59f0)

medium Nessus Plugin ID 59314

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The PostgreSQL Global Development Group reports :

Today the PHP, OpenBSD and FreeBSD communities announced updates to patch a security hole involving their crypt() hashing algorithms. This issue is described in CVE-2012-2143. This vulnerability also affects a minority of PostgreSQL users, and will be fixed in an update release on June 4, 2012.

Affected users are those who use the crypt(text, text) function with DES encryption in the optional pg_crypto module. Passwords affected are those that contain characters that cannot be represented with 7-bit ASCII. If a password contains a character that has the most significant bit set (0x80), and DES encryption is used, that character and all characters after it will be ignored.

Solution

Update the affected packages.

See Also

https://www.postgresql.org/about/news/1397/

http://www.nessus.org/u?04861d64

http://www.nessus.org/u?831ede81

Plugin Details

Severity: Medium

ID: 59314

File Name: freebsd_pkg_a8864f8faa9e11e1a2840023ae8e59f0.nasl

Version: 1.13

Type: local

Published: 5/31/2012

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:postgresql-server, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 5/30/2012

Vulnerability Publication Date: 5/30/2012

Reference Information

CVE: CVE-2012-2143