Marko Kreen

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions 8.3.x through 8.3.22 PostgreSQL versions 8.4.x through 8.4.16 PostgreSQL versions 9.0.x through 9.0.12 PostgreSQL versions 9.1.x through 9.1.8 PostgreSQL versions 9.2.x through 9.2.3 **Description** The issue incorrectly provides the superuser password to scripts related to graphical installers for Linux and Mac OS X, which has unspecified impact and attack vectors. **Recommendations** For PostgreSQL versions 8.3.x through 8.3.22, update to version 8.3.23 or later. For PostgreSQL versions 8.4.x through 8.4.16, update to version 8.4.17 or later. For PostgreSQL versions 9.0.x through 9.0.12, update to version 9.0.13 or later. For PostgreSQL versions 9.1.x through 9.1.8, update to version 9.1.9 or later. For PostgreSQL versions 9.2.x through 9.2.3, update to version 9.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** crypt blowfish versions 0.4.7 and earlier **Description** The issue affects the crypt gensalt functions for BSDI-style extended DES-based and FreeBSD-style MD5-based password hashes, causing salts to not be evenly and randomly distributed. This increases the likelihood of collisions, making it easier for attackers to guess passwords from a stolen password file. **Recommendations** For versions 0.4.7 and earlier, consider implementing an alternative method for generating salts to improve password security until a fixed version is available. As a temporary workaround, restrict access to password files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions 8.4.x through 8.4.16 PostgreSQL versions 9.0.x through 9.0.12 PostgreSQL versions 9.1.x through 9.1.8 PostgreSQL versions 9.2.x through 9.2.3 libpq5 versions (affected versions not specified) libpq5-32bit versions (affected versions not specified) libecpg6 versions (affected versions not specified) **Description** The issue affects the generation of random numbers by the contrib/pgcrypto functions in PostgreSQL when using OpenSSL. This may allow remote authenticated users to have an unspecified impact. The vulnerability can be exploited remotely by an attacker who has passed the authentication procedure, potentially leading to a breach of confidentiality, integrity, and availability of protected information. **Recommendations** For PostgreSQL versions 8.4.x through 8.4.16, update to version 8.4.17 or later. For PostgreSQL versions 9.0.x through 9.0.12, update to version 9.0.13 or later. For PostgreSQL versions 9.1.x through 9.1.8, update to version 9.1.9 or later. For PostgreSQL versions 9.2.x through 9.2.3, update to version 9.2.4 or later. For libpq5, libpq5-32bit, and libecpg6, at the moment, there is no information about a newer version that contains a fix for this vulnerability.