Your message dated Mon, 26 Sep 2011 12:48:16 +0000
with message-id <e1r8aby-0000ir...@franck.debian.org>
and subject line Bug#631285: fixed in postgresql-8.4 8.4.9-1
has caused the Debian Bug report #631285,
regarding CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows
different password pairs to produce the same hash
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
631285: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631285
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: postgresql
Severity: serious
Tags: security
Hi,
A bug in crypt_blowfish was reported [1,2,3]. The function BF_set_key in
postgresql is vulnerable. The RH report [4] may be useful too. Upstream already
has a patch[5].
Please, considerer providing patches for stable and oldstable too.
The CVE (Common Vulnerabilities & Exposures) assigned is CVE-2011-2483.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[1] http://www.openwall.com/lists/oss-security/2011/06/20/2
[2] http://www.openwall.com/lists/john-dev/2011/06/20/3
[3] http://www.openwall.com/lists/john-dev/2011/06/20/5
[4] https://bugzilla.redhat.com/show_bug.cgi?id=715025
[5]
http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=ca59dfa6f727fe3bf3a01904ec30e87f7fa5a67e
-luciano
--- End Message ---
--- Begin Message ---
Source: postgresql-8.4
Source-Version: 8.4.9-1
We believe that the bug you reported is fixed in the latest version of
postgresql-8.4, which is due to be installed in the Debian FTP archive:
postgresql-8.4_8.4.9-1.diff.gz
to main/p/postgresql-8.4/postgresql-8.4_8.4.9-1.diff.gz
postgresql-8.4_8.4.9-1.dsc
to main/p/postgresql-8.4/postgresql-8.4_8.4.9-1.dsc
postgresql-8.4_8.4.9-1_amd64.deb
to main/p/postgresql-8.4/postgresql-8.4_8.4.9-1_amd64.deb
postgresql-8.4_8.4.9.orig.tar.gz
to main/p/postgresql-8.4/postgresql-8.4_8.4.9.orig.tar.gz
postgresql-client-8.4_8.4.9-1_amd64.deb
to main/p/postgresql-8.4/postgresql-client-8.4_8.4.9-1_amd64.deb
postgresql-contrib-8.4_8.4.9-1_amd64.deb
to main/p/postgresql-8.4/postgresql-contrib-8.4_8.4.9-1_amd64.deb
postgresql-doc-8.4_8.4.9-1_all.deb
to main/p/postgresql-8.4/postgresql-doc-8.4_8.4.9-1_all.deb
postgresql-plperl-8.4_8.4.9-1_amd64.deb
to main/p/postgresql-8.4/postgresql-plperl-8.4_8.4.9-1_amd64.deb
postgresql-plpython-8.4_8.4.9-1_amd64.deb
to main/p/postgresql-8.4/postgresql-plpython-8.4_8.4.9-1_amd64.deb
postgresql-pltcl-8.4_8.4.9-1_amd64.deb
to main/p/postgresql-8.4/postgresql-pltcl-8.4_8.4.9-1_amd64.deb
postgresql-server-dev-8.4_8.4.9-1_amd64.deb
to main/p/postgresql-8.4/postgresql-server-dev-8.4_8.4.9-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 631...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <mp...@debian.org> (supplier of updated postgresql-8.4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 25 Sep 2011 14:23:57 +0200
Source: postgresql-8.4
Binary: postgresql-8.4 postgresql-client-8.4 postgresql-server-dev-8.4
postgresql-doc-8.4 postgresql-contrib-8.4 postgresql-plperl-8.4
postgresql-plpython-8.4 postgresql-pltcl-8.4
Architecture: source all amd64
Version: 8.4.9-1
Distribution: unstable
Urgency: low
Maintainer: Martin Pitt <mp...@debian.org>
Changed-By: Martin Pitt <mp...@debian.org>
Description:
postgresql-8.4 - object-relational SQL database, version 8.4 server
postgresql-client-8.4 - front-end programs for PostgreSQL 8.4
postgresql-contrib-8.4 - additional facilities for PostgreSQL
postgresql-doc-8.4 - documentation for the PostgreSQL database management
system
postgresql-plperl-8.4 - PL/Perl procedural language for PostgreSQL 8.4
postgresql-plpython-8.4 - PL/Python procedural language for PostgreSQL 8.4
postgresql-pltcl-8.4 - PL/Tcl procedural language for PostgreSQL 8.4
postgresql-server-dev-8.4 - development files for PostgreSQL 8.4 server-side
programming
Closes: 628503 631285
Changes:
postgresql-8.4 (8.4.9-1) unstable; urgency=low
.
* New upstream bug fix release:
- Fix bugs in indexing of in-doubt HOT-updated tuples.
These bugs could result in index corruption after reindexing a
system catalog. They are not believed to affect user indexes.
- Fix multiple bugs in GiST index page split processing.
The probability of occurrence was low, but these could lead to
index corruption.
- Fix possible buffer overrun in tsvector_concat().
The function could underestimate the amount of memory needed for
its result, leading to server crashes.
- Fix crash in xml_recv when processing a "standalone" parameter.
- Make pg_options_to_table return NULL for an option with no value.
Previously such cases would result in a server crash.
- Avoid possibly accessing off the end of memory in "ANALYZE" and in
SJIS-2004 encoding conversion.
This fixes some very-low-probability server crash scenarios.
- Prevent intermittent hang in interactions of startup process with
bgwriter process.
This affected recovery in non-hot-standby cases.
- Fix race condition in relcache init file invalidation.
There was a window wherein a new backend process could read a stale
init file but miss the inval messages that would tell it the data
is stale. The result would be bizarre failures in catalog accesses,
typically "could not read block 0 in file ..." later during
startup.
- Fix memory leak at end of a GiST index scan.
Commands that perform many separate GiST index scans, such as
verification of a new GiST-based exclusion constraint on a table
already containing many rows, could transiently require large
amounts of memory due to this leak.
- Fix incorrect memory accounting (leading to possible memory bloat)
in tuplestores supporting holdable cursors and plpgsql's RETURN
NEXT command.
- Fix performance problem when constructing a large, lossy bitmap.
- Fix join selectivity estimation for unique columns.
This fixes an erroneous planner heuristic that could lead to poor
estimates of the result size of a join.
- Fix nested PlaceHolderVar expressions that appear only in
sub-select target lists. This mistake could result in outputs of an
outer join incorrectly appearing as NULL.
- Allow nested EXISTS queries to be optimized properly.
- Fix array- and path-creating functions to ensure padding bytes are
zeroes. This avoids some situations where the planner will think that
semantically-equal constants are not equal, resulting in poor
optimization.
- Fix "EXPLAIN" to handle gating Result nodes within inner-indexscan
subplans. The usual symptom of this oversight was "bogus varno" errors.
- Work around gcc 4.6.0 bug that breaks WAL replay. This could lead to
loss of committed transactions after a server crash.
- Fix dump bug for VALUES in a view.
- Disallow SELECT FOR UPDATE/SHARE on sequences.
This operation doesn't work as expected and can lead to failures.
- Fix "VACUUM" so that it always updates pg_class.reltuples/relpages.
This fixes some scenarios where autovacuum could make increasingly
poor decisions about when to vacuum tables.
- Defend against integer overflow when computing size of a hash table.
- Fix cases where "CLUSTER" might attempt to access already-removed
TOAST data.
- Fix portability bugs in use of credentials control messages for
"peer" authentication.
- Fix SSPI login when multiple roundtrips are required.
The typical symptom of this problem was "The function requested is
not supported" errors during SSPI login.
- Throw an error if "pg_hba.conf" contains hostssl but SSL is
disabled. This was concluded to be more user-friendly than the
previous behavior of silently ignoring such lines.
- Fix typo in pg_srand48 seed initialization.
This led to failure to use all bits of the provided seed. This
function is not used on most platforms (only those without
srandom), and the potential security exposure from a
less-random-than-expected seed seems minimal in any case.
- Avoid integer overflow when the sum of LIMIT and OFFSET values
exceeds 2^63.
- Add overflow checks to int4 and int8 versions of generate_series().
- Fix trailing-zero removal in to_char(). In a format with FM and no
digit positions after the decimal point, zeroes to the left of the
decimal point could be removed incorrectly.
- Fix pg_size_pretty() to avoid overflow for inputs close to 2^63.
- Weaken plpgsql's check for typmod matching in record values.
An overly enthusiastic check could lead to discarding length
modifiers that should have been kept.
- Fix pg_upgrade to preserve toast tables' relfrozenxids during an
upgrade from 8.3. Failure to do this could lead to "pg_clog" files
being removed too soon after the upgrade.
- Fix psql's counting of script file line numbers during COPY from a
different file.
- Fix pg_restore's direct-to-database mode for
standard_conforming_strings. pg_restore could emit incorrect commands
when restoring directly to a database server from an archive file that
had been made with standard_conforming_strings set to on.
- Be more user-friendly about unsupported cases for parallel
pg_restore. This change ensures that such cases are detected and
reported before any restore actions have been taken.
- Fix write-past-buffer-end and memory leak in libpq's LDAP service
lookup code.
- In libpq, avoid failures when using nonblocking I/O and an SSL
connection.
- Improve libpq's handling of failures during connection startup.
In particular, the response to a server report of fork() failure
during SSL connection startup is now saner.
- Improve libpq's error reporting for SSL failures.
- Fix PQsetvalue() to avoid possible crash when adding a new tuple to
a PGresult originally obtained from a server query.
- Make ecpglib write double values with 15 digits precision.
- In ecpglib, be sure LC_NUMERIC setting is restored after an error.
- Apply upstream fix for blowfish signed-character bug
(CVE-2011-2483) (Closes: #631285)
"contrib/pg_crypto"'s blowfish encryption code could give wrong
results on platforms where char is signed (which is most), leading
to encrypted passwords being weaker than they should be.
- Fix memory leak in "contrib/seg".
- Fix pgstatindex() to give consistent results for empty indexes.
- Allow building with perl 5.14. (Closes: #628503)
* Drop 16-cmsgcred-size.patch, fixed upstream in a different way.
Checksums-Sha1:
19a83b8e54aad00eb8dd630d653ed49ffa1f7280 2300 postgresql-8.4_8.4.9-1.dsc
08e2a6f939e221437f8cfcc044f0f29210e43a78 17853113
postgresql-8.4_8.4.9.orig.tar.gz
8147710da940ff04021eacba25157585bf3375aa 43326 postgresql-8.4_8.4.9-1.diff.gz
c1b427393fdc1c28784de022c173895ce39431c1 2166342
postgresql-doc-8.4_8.4.9-1_all.deb
d909260988053aaec9314c6186b8aac03ebbd724 5479420
postgresql-8.4_8.4.9-1_amd64.deb
62a0e2a2ad8b318a070c1ae3cf6e9d4f5e8fd2c8 1495146
postgresql-client-8.4_8.4.9-1_amd64.deb
0abdf9f25700b20c9b451ab15ceb7ff4a63c0c08 645724
postgresql-server-dev-8.4_8.4.9-1_amd64.deb
8efc305a4b674f272842306f096cf3df912bb04d 439798
postgresql-contrib-8.4_8.4.9-1_amd64.deb
d355e0eeb56a564aeb00cd44b7ebb446e83f3387 67292
postgresql-plperl-8.4_8.4.9-1_amd64.deb
344ee6f4ed341c12ab08639da3b8725f7168a1fd 63976
postgresql-plpython-8.4_8.4.9-1_amd64.deb
18ccc6bdc673d5ac837ca2938fceeb19c02c7d30 50436
postgresql-pltcl-8.4_8.4.9-1_amd64.deb
Checksums-Sha256:
44687a23de874bd25f1bc4fbb794ddd5286993dd4270885f175b7d2bd0c9adb9 2300
postgresql-8.4_8.4.9-1.dsc
d23ab8edf48f7e058ddc8ef2d97159a0da37c328061bc287255288868d781a57 17853113
postgresql-8.4_8.4.9.orig.tar.gz
d83e381ace34dc0bc59f0dc1b6bbb493d55e62f2cb268782457ee3b57af83858 43326
postgresql-8.4_8.4.9-1.diff.gz
65b24a0ba93e73da958bca3a3dc303fb34a2f474afefbec2fac264416eb81f63 2166342
postgresql-doc-8.4_8.4.9-1_all.deb
cf725dcb9523abef2cf72caca1cebb6478ff4a3ba258d914b6568d76d8b3cd5a 5479420
postgresql-8.4_8.4.9-1_amd64.deb
e0a5d65516f82c3e5d78554ffb7d6edf7026497c27b8c8dc85bf233eb84b40d5 1495146
postgresql-client-8.4_8.4.9-1_amd64.deb
4849e77b274a10db2cc7639c4298f992808b383f11cd4372ac8eda6967259a5a 645724
postgresql-server-dev-8.4_8.4.9-1_amd64.deb
af6bc54426e5cd1bd6205e15d6f9b5e727a39c3d5044cc695e4bf70c1642efe2 439798
postgresql-contrib-8.4_8.4.9-1_amd64.deb
151d292f38cf026598ee32ee0e8c2563c099eb4942958576985b6e2306567c3b 67292
postgresql-plperl-8.4_8.4.9-1_amd64.deb
ed0aa7233ff9603775175f9f888d72469946287052bd2193865fdd032d642020 63976
postgresql-plpython-8.4_8.4.9-1_amd64.deb
5bf9f5ff5dfc387a65be79c5720c91b4ee2a55e2cb7de87aa34e8fdbbdffc884 50436
postgresql-pltcl-8.4_8.4.9-1_amd64.deb
Files:
506411119c90e966c9d7292850da9401 2300 database optional
postgresql-8.4_8.4.9-1.dsc
7f69c8bb6b7994cbd863685a2d65f4db 17853113 database optional
postgresql-8.4_8.4.9.orig.tar.gz
be354e9992863e86a0a19b3631792845 43326 database optional
postgresql-8.4_8.4.9-1.diff.gz
adb192517b7122e576615c276333b49f 2166342 doc optional
postgresql-doc-8.4_8.4.9-1_all.deb
73ef235c5918d4b0b3dcfa3f1219a646 5479420 database optional
postgresql-8.4_8.4.9-1_amd64.deb
0800615ee4624bb0ed8b968f68c174ff 1495146 database optional
postgresql-client-8.4_8.4.9-1_amd64.deb
dac3c2259bc7e51b478aa13834bd7108 645724 libdevel optional
postgresql-server-dev-8.4_8.4.9-1_amd64.deb
6dcd07d0bdad8a1e93e1a1eb656fbe85 439798 database optional
postgresql-contrib-8.4_8.4.9-1_amd64.deb
eb758a096762cb9b2f6c0b7131fbe30e 67292 database optional
postgresql-plperl-8.4_8.4.9-1_amd64.deb
dbe04b9225c2032f75ac4d1dcdcb9755 63976 database optional
postgresql-plpython-8.4_8.4.9-1_amd64.deb
9f284f5ae6995268de42ebd10695974b 50436 database optional
postgresql-pltcl-8.4_8.4.9-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJOfyerAAoJEPmIJawmtHufo6MQAJF2c/SrFt6QZpaPINyHp96I
Iz4hXMv57JC854O5u7Bt4WlkyE+u0VgWu/R2v9QaOf6tRZf3QKeuBubuEkh0mbIC
fEOblXwbfPjMRMVk4Ya9wCfkHboU4bKPdnCI/Oc/mF2ctOZfyEnbKZvEhyTpz4uu
wu3VAu3fcy6qwVyhI7djUg/09FCjKBgnIVvVcNuMZwVDlfD/nhVqIsmOnnIrQg6p
tPdgD3OAQ3q5dBN8r6qDv9hNca6+RVvD4zYDPkyDm/nYGw9BXY91Yqqzdzq2FWK8
IlihNGr55ZuOh2+O0uDbo2AOGST5mYYYhd6+nsV9aDcVubLTBxik5zdZfsAyoL1U
HaUSGyChCIU1SEsJc6iDPB0d49wsYYxBbDhqjdG2Cc1PnMCvjOJkeSOntv8Qaidc
x2Eyp026UR5RTOAWQdchNERy4ZHmFFN/NxnELK/D/8xK1i/ct2k8Jcr5WlnwUmI4
ZYD2nw88HSot93iv/ChM6U45fa8q/DdqycAuL21zE3H+S5iXnb2Dpcl3wMDu3f0T
dxMidKKRlGoUzhIY9/u50ghkyMSx7UE0lcY56RvxTQVEuQb0r6hP3mt/2AVNs/ZD
s3wb0QKYvpDjvjIpvV1UMAK26y3Kty2QEBKF9z84x2G24gatv1aHR7thQ3q9f55Q
9KXoc+1u+0hQKJLIouEE
=iL11
-----END PGP SIGNATURE-----
--- End Message ---