Opened 9 years ago

Closed 9 years ago

#6530 closed enhancement (fixed)

postgresql-9.4.2

Reported by: Fernando de Oliveira Owned by: Fernando de Oliveira
Priority: high Milestone: 7.8
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

http://ftp.postgresql.org/pub/source/v9.4.2/postgresql-9.4.2.tar.bz2

http://ftp.postgresql.org/pub/source/v9.4.2/postgresql-9.4.2.tar.bz2.md5

b6369156607a4fd88f21af6fec0f30b9

http://www.securityfocus.com/archive/1/535591/30/0/threaded

- ------------------------------------------------------------------------
-
Debian Security Advisory DSA-3270-1 security (at) debian (dot) org [email concealed]
http://www.debian.org/security/ Christoph Berg
May 22, 2015 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
-

Package : postgresql-9.4
CVE ID : CVE-2015-3165 CVE-2015-3166 CVE-2015-3167

Several vulnerabilities have been found in PostgreSQL-9.4, a SQL
database system.

CVE-2015-3165 (Remote crash)

SSL clients disconnecting just before the authentication timeout
expires can cause the server to crash.

CVE-2015-3166 (Information exposure)

The replacement implementation of snprintf() failed to check for
errors reported by the underlying system library calls; the main
case that might be missed is out-of-memory situations. In the worst
case this might lead to information exposure.

CVE-2015-3167 (Possible side-channel key exposure)

In contrib/pgcrypto, some cases of decryption with an incorrect key
could report other error message texts. Fix by using a
one-size-fits-all message.

http://www.postgresql.org/about/news/1587/ and

http://www.postgresql.org/about/news/1

PostgreSQL 9.4.2, 9.3.7, 9.2.11, 9.1.16, and 9.0.20 released!
Posted on May 22, 2015

The PostgreSQL Global Development Group has released an update with
multiple functionality and security fixes to all supported versions of
the PostgreSQL database system, which includes minor versions 9.4.2,
9.3.7, 9.2.11, 9.1.16, and 9.0.20. The update contains a critical fix for
a potential data corruption issue in PostgreSQL 9.3 and 9.4; users of
those versions should update their servers at the next possible
opportunity.

Data Corruption Fix

For users of PostgreSQL versions 9.3 or 9.4, this release fixes a problem
where the database will fail to protect against "multixact wraparound",
resulting in data corruption or loss. Users with a high transaction rate
(1 million or more per hour) in a database with many foreign keys are
especially vulnerable. We strongly urge all users of 9.4 and 9.3 to
update their installations in the next few days.

Users of versions 9.2 and earlier are not affected by this issue.

Security Fixes

This update fixes three security vulnerabilities reported in PostgreSQL
over the past few months. Nether of these issues is seen as particularly
urgent. However, users should examine them in case their installations
are vulnerable:

    CVE-2015-3165 Double "free" after authentication timeout.
    CVE-2015-3166 Unanticipated errors from the standard library.
    CVE-2015-3167 pgcrypto has multiple error messages for decryption
    with an incorrect key.

Additionally, we are recommending that all users who use Kerberos,
GSSAPI, or SSPI authentication set include_realm to 1 in pg_hba.conf,
which will become the default in future versions.

More information about these issues, as well as older patched issues, is
available on the PostgreSQL Security Page.

Other Fixes and Improvements

A new, non-default version of the citext extension fixes its previously
undocumented regexp_matches() functions to align with the ordinary text
version of those functions. The fixed version has a different return type
than the old version, so users of CIText should test their applications
before updating the function by running "ALTER EXTENSION citext UPDATE".

In addition to the above, more than 50 reported issues have been fixed in
this cumulative update release. Most of the issues named affect all
supported versions. These fixes include:

    Render infinite dates and timestamps as infinity when converting to
    json
    Fix json/jsonb's populate_record() and to_record()
    Fix incorrect checking of deferred exclusion constraints
    Improve planning of star-schema-style queries
    Fix three issues with planning joins
    Ensure correct locking with security barrier views
    Fix deadlock at startup when max_prepared_transactions is too small
    Recursively fsync() the data directory after a crash
    Fix autovacuum launcher's possible failure to shut down
    Cope with unexpected signals in LockBufferForCleanup()
    Fix crash when doing COPY IN to a table with check constraints
    Avoid waiting for synchronous replication of read-only transactions
    Fix two issues with hash indexes
    Prevent memory leaks in GIN index vacuum
    Fix two issues with background workers
    Several fixes to Logical Decoding replication
    Fix several minor issues with pg_dump and pg_upgrade

This release includes an update to tzdata release 2015d, with updates to
Egypt, Mongolia, and Palestine, plus historical changes in Canada and
Chile.

Change History (2)

comment:1 by Fernando de Oliveira, 9 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

comment:2 by Fernando de Oliveira, 9 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r16016.

Note: See TracTickets for help on using tickets.