[php-maint] Bug#631347: Bug#631347: CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash

Ondřej Surý ondrej at sury.org
Thu Jun 23 05:42:01 UTC 2011

forcemerge 631286 631347
tags 631286 +squeeze wheezy sid
Thank you


I already notice the bug when you reported it in postgresql and cloned the bug.

Yes, the php5 is affected, but only squeeze and onwards (writing this from top of my head, so I will better double check).

Security team, can you remove the last  not yet published security upload of php5? I'll bundle this CVE in and we will finally release the security update.

Ondřej Surý

On 23.6.2011, at 5:37, Luciano Bello <luciano at debian.org> wrote:

> Package: php5
> Severity: serious
> Tags: security
> Hi,
> A bug in crypt_blowfish was reported [1,2,3]. The RH report [4] may be useful 
> too.
> The function BF_set_key in ./ext/standard/crypt_blowfish.c is vulnerable. Can 
> you confirm that the bug affects the Debian packages?
> If so, please, considerer providing patches for stable and oldstable besides 
> sid.
> The CVE (Common Vulnerabilities & Exposures) assigned is CVE-2011-2483.
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> [1] http://www.openwall.com/lists/oss-security/2011/06/20/2
> [2] http://www.openwall.com/lists/john-dev/2011/06/20/3
> [3] http://www.openwall.com/lists/john-dev/2011/06/20/5
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=715025
> -luciano
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20110623/af59a0c5/attachment.html>

More information about the pkg-php-maint mailing list