Today the PHP, OpenBSD and FreeBSD communities announced updates to patch a security hole involving their crypt() hashing algorithms. This issue is described in CVE-2012-2143. This vulnerability also affects a minority of PostgreSQL users, and will be fixed in an update release on June 4, 2012.
Affected users are those who use the crypt(text, text) function with DES encryption in the optional pgcrypto module. Passwords affected are those that contain characters that cannot be represented with 7-bit ASCII. If a password contains a character that has the most significant bit set (0x80), and DES encryption is used, that character and all characters after it will be ignored.
Users of high-security applications who cannot wait for the update are recommended to do one of three things:
Note that users who patch their installations, or who apply the update on June 4th, may need to regenerate passwords for some or all of their application users due to the change in the hashing algorithm. Specifically, after the update, passwords containing 0x80 will no longer work.
The PostgreSQL Project regrets the inconvenience to our users. We are grateful to security researchers Robin Xu and Joseph Bonneau for discovering this issue.
For more information on the pgcrypto module, please see the documentation.