|Description||crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|Debian Bugs||631283, 631285, 631347, 679628|
Vulnerable and fixed packages
The table below lists information on source packages.
The information below is based on the following data on fixed versions.
- libcrypt-eksblowfish-perl <not-affected> (discovered and corrected in initial release in 2007)
- php-suhosin <not-affected> (bug #631283; that portion is not used since PHP 5.3)
[squeeze] - libxcrypt <no-dsa> (Minor issue)