Описание
contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.
It was discovered that the pgcrypto module could return different error messages when decrypting certain data with an incorrect key. This could potentially help an authenticated user to launch a possible cryptographic attack, although no suitable attack is currently known.
Отчет
Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This flaw has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | postgresql | Affected | ||
| CloudForms Management Engine 5 | postgresql92-postgresql | Affected | ||
| Red Hat Enterprise Linux 5 | postgresql | Affected | ||
| Red Hat Enterprise Linux 5 | postgresql84 | Affected | ||
| Red Hat Satellite 5.7 | postgresql92 | Affected | ||
| Red Hat Enterprise Linux 6 | postgresql | Fixed | RHSA-2015:1194 | 29.06.2015 |
| Red Hat Enterprise Linux 7 | postgresql | Fixed | RHSA-2015:1194 | 29.06.2015 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | postgresql92-postgresql | Fixed | RHSA-2015:1195 | 29.06.2015 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-postgresql94-postgresql | Fixed | RHSA-2015:1196 | 29.06.2015 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS | postgresql92-postgresql | Fixed | RHSA-2015:1195 | 29.06.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
2.6 Low
CVSS2
Связанные уязвимости
contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.
contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.
contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2 ...
contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.
EPSS
2.6 Low
CVSS2