debian-security-announce November 2011 archive
Main Archive Page > Month Archives  > debian-security-announce archives
debian-security-announce: Re: [SECURITY] [DSA 2340-1] postgresql

Re: [SECURITY] [DSA 2340-1] postgresql security update

From: Oliver Marx <omarx_at_nospam>
Date: Mon Nov 07 2011 - 20:57:55 GMT
To: debian-security@lists.debian.org

Hi,

there is a problem:

packages depends upon libssl1.0.0 (=>1.0.0), but in squeeze there is
only libssl0.9.8. So installation is broken!

Regards,
Oliver

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-2340-1 security@debian.org
> http://www.debian.org/security/ Thijs Kinkhorst
> November 7, 2011 http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package : postgresql-8.3, postgresql-8.4, postgresql-9.0
> Vulnerability : weak password hashing
> Problem type : remote
> Debian-specific: no
> CVE ID : CVE-2011-2483
> Debian Bug : 631285
>
> magnum discovered that the blowfish password hashing used amongst
> others in PostgreSQL contained a weakness that would give passwords
> with 8 bit characters the same hash as weaker equivalents.
>
> For the oldstable distribution (lenny), this problem has been fixed in
> postgresql-8.3 version 8.3.16-0lenny1.
>
> For the stable distribution (squeeze), this problem has been fixed in
> postgresql-8.4 version 8.4.9-0squeeze1.
>
> For the testing distribution (wheezy) and unstable distribution (sid),
> this problem has been fixed in postgresql-8.4 version 8.4.9-1,
> postgresql-9.0 9.0.5-1 and postgresql-9.1 9.1~rc1-1.
>
> The updates also include reliability improvements, originally scheduled
> for inclusion into the next point release; for details see the respective
> changelogs.
>
> We recommend that you upgrade your postgresql packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEcBAEBAgAGBQJOuDYOAAoJEOxfUAG2iX57DZgH/0c0P9FnbU6qMrsixC612FgA
> A0V76Qcl/jboFzi8QOlj7fesaJ2bMtxCCY7aRTl9C3vW1j0BK5gKbZMsyJvVXic7
> /AXCwpeib+inOqnl/HvSrTYJMOb2i0Hi24Tfx5M5Rhsl465oY7eaF6fW5Fyw9Nd/
> kKCg+5BFIqoMmVWh+wTl2Jr62INwwcQz6SiTfPo0aNCcuKqbWRBwdJP0KbdcpxK8
> 8igs+hdETwWja0B0EzH3n6eJYY06vzN3zP2WqufQm8jDVa4f2PMHDNUvt3ENLglv
> ja7i7tII3nJvGw7ui+8LXva1BBDUHqEVnLmxlbPZzTfe/tJdegltQNpFKe4Mchc=
> =PClG
> -----END PGP SIGNATURE-----
>
>

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/4EB84653.908@av-test.de