Re: Crypt change in 9.4.5
От | Jan de Visser |
---|---|
Тема | Re: Crypt change in 9.4.5 |
Дата | |
Msg-id | 1983960.4XIaF0rtVD@coyote обсуждение исходный текст |
Ответ на | Crypt change in 9.4.5 (<andomar@aule.net>) |
Список | pgsql-general |
On Friday, March 18, 2016 1:18:01 PM EDT andomar@aule.net wrote: > Hi, > > After upgrading to PostgreSQL 9.4.6, our test system gave error messages > like: > > ERROR: invalid salt > > The cause of these errors is statements like: > > WHERE password = crypt('secret', 'secret') > > After reverting to Postgres 9.4.4 the test system worked properly again. > > This might be related to a security fix in 9.4.5: > > --- > Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh > Kupershmidt) > Certain invalid salt arguments crashed the server or disclosed a few bytes > of server memory. We have not ruled out the viability of attacks that > arrange for presence of confidential information in the disclosed bytes, but > they seem unlikely. (CVE-2015-5288) > --- > > The "crypt" call is hardcoded in legacy code that hasn't been recompiled in > years. Are there ways to keep the old code running against a newer Postgres > version? You could get the source of 9.4.6 from git, back out the commit for that fix, and compile.
В списке pgsql-general по дате отправления: