crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Php | Php | * | 5.3.7 (excluding) |
| Red Hat Enterprise Linux 4 | RedHat | postgresql-0:7.4.30-3.el4 | * |
| Red Hat Enterprise Linux 5 | RedHat | postgresql-0:8.1.23-1.el5_7.2 | * |
| Red Hat Enterprise Linux 5 | RedHat | postgresql84-0:8.4.9-1.el5_7.1 | * |
| Red Hat Enterprise Linux 5 | RedHat | php53-0:5.3.3-1.el5_7.3 | * |
| Red Hat Enterprise Linux 6 | RedHat | postgresql-0:8.4.9-1.el6_1.1 | * |
| Red Hat Enterprise Linux 6 | RedHat | php-0:5.3.3-3.el6_1.3 | * |
| John | Ubuntu | hardy | * |
| John | Ubuntu | lucid | * |
| John | Ubuntu | maverick | * |
| John | Ubuntu | natty | * |
| John | Ubuntu | upstream | * |
| Php5 | Ubuntu | hardy | * |
| Php5 | Ubuntu | lucid | * |
| Php5 | Ubuntu | maverick | * |
| Php5 | Ubuntu | natty | * |
| Php5 | Ubuntu | upstream | * |
| Postgresql-8.2 | Ubuntu | hardy | * |
| Postgresql-8.3 | Ubuntu | hardy | * |
| Postgresql-8.4 | Ubuntu | lucid | * |
| Postgresql-8.4 | Ubuntu | maverick | * |
| Postgresql-8.4 | Ubuntu | natty | * |
| Postgresql-8.4 | Ubuntu | oneiric | * |
| Postgresql-8.4 | Ubuntu | upstream | * |
| Postgresql-9.1 | Ubuntu | upstream | * |