"David G. Johnston" <david.g.johnston@gmail.com> writes:
> If you are saying 9.3.2 gives a result and 9.3.20 raises an error I suspect
> the response in 9.3.2 was bogus and giving an error instead of a bogus
> result was deemed the best fix.
A bit of diving in the git history says that behavior changed here:
Author: Noah Misch <noah@leadboat.com>
Branch: master Release: REL9_6_BR [1d812c8b0] 2015-10-05 10:06:29 -0400
Branch: REL9_5_STABLE Release: REL9_5_0 [4d6752277] 2015-10-05 10:06:33 -0400
Branch: REL9_4_STABLE Release: REL9_4_5 [4d95419e8] 2015-10-05 10:06:34 -0400
Branch: REL9_3_STABLE Release: REL9_3_10 [cc1210f0a] 2015-10-05 10:06:34 -0400
Branch: REL9_2_STABLE Release: REL9_2_14 [56232f987] 2015-10-05 10:06:35 -0400
Branch: REL9_1_STABLE Release: REL9_1_19 [48f6310bc] 2015-10-05 10:06:35 -0400
Branch: REL9_0_STABLE Release: REL9_0_23 [188e081ef] 2015-10-05 10:06:36 -0400
pgcrypto: Detect and report too-short crypt() salts.
Certain short salts crashed the backend or disclosed a few bytes of
backend memory. For existing salt-induced error conditions, emit a
message saying as much. Back-patch to 9.0 (all supported versions).
Josh Kupershmidt
Security: CVE-2015-5288
The 9.3.10 release notes do contain an entry about this.
regards, tom lane
