| From: | Jan de Visser <jan(at)de-visser(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Cc: | andomar(at)aule(dot)net |
| Subject: | Re: Crypt change in 9.4.5 |
| Date: | 2016-03-18 12:41:42 |
| Message-ID: | 1983960.4XIaF0rtVD@coyote |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Friday, March 18, 2016 1:18:01 PM EDT andomar(at)aule(dot)net wrote:
> Hi,
>
> After upgrading to PostgreSQL 9.4.6, our test system gave error messages
> like:
>
> ERROR: invalid salt
>
> The cause of these errors is statements like:
>
> WHERE password = crypt('secret', 'secret')
>
> After reverting to Postgres 9.4.4 the test system worked properly again.
>
> This might be related to a security fix in 9.4.5:
>
> ---
> Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh
> Kupershmidt)
> Certain invalid salt arguments crashed the server or disclosed a few bytes
> of server memory. We have not ruled out the viability of attacks that
> arrange for presence of confidential information in the disclosed bytes, but
> they seem unlikely. (CVE-2015-5288)
> ---
>
> The "crypt" call is hardcoded in legacy code that hasn't been recompiled in
> years. Are there ways to keep the old code running against a newer Postgres
> version?
You could get the source of 9.4.6 from git, back out the commit for that fix,
and compile.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Durumdara | 2016-03-18 12:47:06 | Drop only temporary table |
| Previous Message | andomar | 2016-03-18 12:18:01 | Crypt change in 9.4.5 |