CVE-2012-2143
First published: Fri Apr 27 2012(Updated: )
A security flaw was found in the way DES and extended DES based crypt() password encryption function performed encryption of certain keys, when the key to be encrypted was provided in the Unicode encoding (certain keys were truncated before being DES digested). When the resulting ciphertext for such a previously shortened key was used as a pattern in a password protected resource, intended to be matched against subsequently encrypted value of the password field, retrieved from the user authentication dialog, it could lead to authentication bypass.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql | <9.1.4 | 9.1.4 |
| redhat/postgresql | <9.0.8 | 9.0.8 |
| redhat/postgresql | <8.4.12 | 8.4.12 |
| redhat/postgresql | <8.3.19 | 8.3.19 |
| PostgreSQL JDBC Driver | >=8.3<8.3.19 | |
| PostgreSQL JDBC Driver | >=8.4<8.4.12 | |
| PostgreSQL JDBC Driver | >=9.0<9.0.8 | |
| PostgreSQL JDBC Driver | >=9.1<9.1.4 | |
| FreeBSD FreeBSD | <=9.0 | |
| FreeBSD FreeBSD | =1.0 | |
| FreeBSD FreeBSD | =1.1 | |
| FreeBSD FreeBSD | =1.1.5 | |
| FreeBSD FreeBSD | =1.1.5.1 | |
| FreeBSD FreeBSD | =2.0 | |
| FreeBSD FreeBSD | =2.0.5 | |
| FreeBSD FreeBSD | =2.1 | |
| FreeBSD FreeBSD | =2.1.5 | |
| FreeBSD FreeBSD | =2.1.6 | |
| FreeBSD FreeBSD | =2.1.7 | |
| FreeBSD FreeBSD | =2.2 | |
| FreeBSD FreeBSD | =2.2.1 | |
| FreeBSD FreeBSD | =2.2.2 | |
| FreeBSD FreeBSD | =2.2.5 | |
| FreeBSD FreeBSD | =2.2.6 | |
| FreeBSD FreeBSD | =2.2.7 | |
| FreeBSD FreeBSD | =2.2.8 | |
| FreeBSD FreeBSD | =3.0 | |
| FreeBSD FreeBSD | =3.1 | |
| FreeBSD FreeBSD | =3.2 | |
| FreeBSD FreeBSD | =3.3 | |
| FreeBSD FreeBSD | =3.4 | |
| FreeBSD FreeBSD | =3.5 | |
| FreeBSD FreeBSD | =4.0 | |
| FreeBSD FreeBSD | =4.1 | |
| FreeBSD FreeBSD | =4.1.1 | |
| FreeBSD FreeBSD | =4.2 | |
| FreeBSD FreeBSD | =4.3 | |
| FreeBSD FreeBSD | =4.4 | |
| FreeBSD FreeBSD | =4.5 | |
| FreeBSD FreeBSD | =4.6 | |
| FreeBSD FreeBSD | =4.6.2 | |
| FreeBSD FreeBSD | =4.7 | |
| FreeBSD FreeBSD | =4.8 | |
| FreeBSD FreeBSD | =4.9 | |
| FreeBSD FreeBSD | =4.10 | |
| FreeBSD FreeBSD | =4.11 | |
| FreeBSD FreeBSD | =5.0 | |
| FreeBSD FreeBSD | =5.1 | |
| FreeBSD FreeBSD | =5.2 | |
| FreeBSD FreeBSD | =5.2.1 | |
| FreeBSD FreeBSD | =5.3 | |
| FreeBSD FreeBSD | =5.4 | |
| FreeBSD FreeBSD | =5.5 | |
| FreeBSD FreeBSD | =6.0 | |
| FreeBSD FreeBSD | =6.1 | |
| FreeBSD FreeBSD | =6.2 | |
| FreeBSD FreeBSD | =6.3 | |
| FreeBSD FreeBSD | =6.4 | |
| FreeBSD FreeBSD | =7.0 | |
| FreeBSD FreeBSD | =7.1 | |
| FreeBSD FreeBSD | =7.2 | |
| FreeBSD FreeBSD | =7.3 | |
| FreeBSD FreeBSD | =7.4 | |
| FreeBSD FreeBSD | =8.0 | |
| FreeBSD FreeBSD | =8.1 | |
| FreeBSD FreeBSD | =8.2 | |
| FreeBSD FreeBSD | =8.3 | |
| PHP | <5.3.14 | |
| PHP | >=5.4.0<5.4.4 | |
| Debian GNU/Linux | =6.0 | |
| PostgreSQL JDBC Driver | =8.3 | |
| PostgreSQL JDBC Driver | =8.4 | |
| PostgreSQL JDBC Driver | =9.0 | |
| PostgreSQL JDBC Driver | =9.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.php.net/?p=php-src.git;a=commitdiff;h=aab49e934de1fff046e659cbec46e3d053b41c34
- http://security.freebsd.org/advisories/FreeBSD-SA-12:02.crypt.asc
- http://git.postgresql.org/gitweb/?p=postgresql.git&a=commitdiff&h=932ded2ed51e8333852e370c7a6dad75d9f236f9
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=826607
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=826606
- http://www.postgresql.org/support/security/
- http://www.postgresql.org/docs/9.1/static/release-9-1-4.html
- http://www.postgresql.org/docs/9.0/static/release-9-0-8.html
- http://www.postgresql.org/docs/8.4/static/release-8-4-12.html
- http://www.postgresql.org/docs/8.3/static/release-8-3-19.html
- https://rhn.redhat.com/errata/RHSA-2012-1036.html
- https://rhn.redhat.com/errata/RHSA-2012-1037.html
- https://rhn.redhat.com/errata/RHSA-2012-1047.html
- https://rhn.redhat.com/errata/RHSA-2012-1046.html
- https://bugzilla.redhat.com/show_bug.cgi?id=816956
- http://git.php.net/?p=php-src.git;a=commit;h=aab49e934de1fff046e659cbec46e3d053b41c34
- http://git.postgresql.org/gitweb/?p=postgresql.git&a=commit&h=932ded2ed51e8333852e370c7a6dad75d9f236f9
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082258.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082292.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082294.html
- http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html
- http://rhn.redhat.com/errata/RHSA-2012-1037.html
- http://secunia.com/advisories/49304
- http://secunia.com/advisories/50718
- http://support.apple.com/kb/HT5501
- http://www.debian.org/security/2012/dsa-2491
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:092
- http://www.securitytracker.com/id?1026995
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=aab49e934de1fff046e659cbec46e3d053b41c34
Frequently Asked Questions
What is the severity of CVE-2012-2143?
CVE-2012-2143 has been classified as a high-severity vulnerability due to its potential to expose sensitive password information.
How do I fix CVE-2012-2143?
To fix CVE-2012-2143, upgrade to PostgreSQL version 9.1.4 or later, 9.0.8 or later, 8.4.12 or later, or 8.3.19 or later.
What software is affected by CVE-2012-2143?
CVE-2012-2143 affects multiple versions of PostgreSQL and FreeBSD operating systems.
Can CVE-2012-2143 be exploited remotely?
Yes, CVE-2012-2143 can potentially be exploited remotely if malicious actors have access to the password encryption function.
What impact does CVE-2012-2143 have on password security?
CVE-2012-2143 can lead to the disclosure of passwords through improper encryption, thus compromising the security of user accounts.
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/description
- agent/remedy
- agent/author
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-2143
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/redhat
- vendor/postgresql
- canonical/postgresql jdbc driver
- version/postgresql jdbc driver/8.3
- version/postgresql jdbc driver/8.4
- version/postgresql jdbc driver/9.0
- version/postgresql jdbc driver/9.1
- vendor/freebsd
- canonical/freebsd freebsd
- version/freebsd freebsd/9.0
- version/freebsd freebsd/1.0
- version/freebsd freebsd/1.1
- version/freebsd freebsd/1.1.5
- version/freebsd freebsd/1.1.5.1
- version/freebsd freebsd/2.0
- version/freebsd freebsd/2.0.5
- version/freebsd freebsd/2.1
- version/freebsd freebsd/2.1.5
- version/freebsd freebsd/2.1.6
- version/freebsd freebsd/2.1.7
- version/freebsd freebsd/2.2
- version/freebsd freebsd/2.2.1
- version/freebsd freebsd/2.2.2
- version/freebsd freebsd/2.2.5
- version/freebsd freebsd/2.2.6
- version/freebsd freebsd/2.2.7
- version/freebsd freebsd/2.2.8
- version/freebsd freebsd/3.0
- version/freebsd freebsd/3.1
- version/freebsd freebsd/3.2
- version/freebsd freebsd/3.3
- version/freebsd freebsd/3.4
- version/freebsd freebsd/3.5
- version/freebsd freebsd/4.0
- version/freebsd freebsd/4.1
- version/freebsd freebsd/4.1.1
- version/freebsd freebsd/4.2
- version/freebsd freebsd/4.3
- version/freebsd freebsd/4.4
- version/freebsd freebsd/4.5
- version/freebsd freebsd/4.6
- version/freebsd freebsd/4.6.2
- version/freebsd freebsd/4.7
- version/freebsd freebsd/4.8
- version/freebsd freebsd/4.9
- version/freebsd freebsd/4.10
- version/freebsd freebsd/4.11
- version/freebsd freebsd/5.0
- version/freebsd freebsd/5.1
- version/freebsd freebsd/5.2
- version/freebsd freebsd/5.2.1
- version/freebsd freebsd/5.3
- version/freebsd freebsd/5.4
- version/freebsd freebsd/5.5
- version/freebsd freebsd/6.0
- version/freebsd freebsd/6.1
- version/freebsd freebsd/6.2
- version/freebsd freebsd/6.3
- version/freebsd freebsd/6.4
- version/freebsd freebsd/7.0
- version/freebsd freebsd/7.1
- version/freebsd freebsd/7.2
- version/freebsd freebsd/7.3
- version/freebsd freebsd/7.4
- version/freebsd freebsd/8.0
- version/freebsd freebsd/8.1
- version/freebsd freebsd/8.2
- version/freebsd freebsd/8.3
- vendor/php
- canonical/php
- version/php/5.4.0
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/6.0