| From: | <andomar(at)aule(dot)net> |
|---|---|
| To: | <pgsql-general(at)postgresql(dot)org> |
| Subject: | Crypt change in 9.4.5 |
| Date: | 2016-03-18 12:18:01 |
| Message-ID: | 385a01d18110$37d375c0$a77a6140$@aule.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi,
After upgrading to PostgreSQL 9.4.6, our test system gave error messages
like:
ERROR: invalid salt
The cause of these errors is statements like:
WHERE password = crypt('secret', 'secret')
After reverting to Postgres 9.4.4 the test system worked properly again.
This might be related to a security fix in 9.4.5:
---
Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh
Kupershmidt)
Certain invalid salt arguments crashed the server or disclosed a few bytes
of server memory. We have not ruled out the viability of attacks that
arrange for presence of confidential information in the disclosed bytes, but
they seem unlikely. (CVE-2015-5288)
---
The "crypt" call is hardcoded in legacy code that hasn't been recompiled in
years. Are there ways to keep the old code running against a newer Postgres
version?
Kind regards,
Andomar
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jan de Visser | 2016-03-18 12:41:42 | Re: Crypt change in 9.4.5 |
| Previous Message | Sándor Daku | 2016-03-18 11:08:39 | Re: Partition |