Security Patch 2012-05-30

Today the PHP, OpenBSD and FreeBSD communities announced updates to
patch a security hole involving their crypt() hashing algorithms.
This issue is described in CVE-2012-2143
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143). This
vulnerability also affects a minority of PostgreSQL users, and will be
fixed in an update release on June 4, 2012.

Affected users are those who use the crypt(text, text) function with
DES encryption in the optional pg_crypto module. Passwords affected
are those that contain characters that cannot be represented with
7-bit ASCII. If a password contains a character that has the most
significant bit set (0x80), and DES encryption is used, that character
and all characters after it will be ignored.

Users of high-security applications who cannot wait for the update are
recommended to do one of three things:

* switch from using crypt() with DES to a more current encryption
algorithm such as Blowfish.
* download the patch
(http://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=932ded2ed51e8333852e370c7a6dad75d9f236f9),
patch their own installations in source code form, reinstall
pg_crypto, disconnect all sessions and restart them to reload the
library or restart the server.
* add a check to ensure that all passwords hashed with crypt() do not
allow the value 0x80.

Note that users who patch their installations, or who apply the update
on June 4th, may need to regenerate passwords for some or all of their
application users due to the change in the hashing algorithm.
Specifically, after the update, passwords containing 0x80 will no
longer work.

The PostgreSQL Project regrets the inconvenience to our users. We are
grateful to security researchers Robin Xu and Joseph Bonneau for
discovering this issue.

For more information on the pg_crypto module, please see:
(http://www.postgresql.org/docs/current/static/pgcrypto.html)