Opened 10 years ago

Closed 9 years ago

#7004 closed enhancement (fixed)

postgresql-9.4.5

Reported by: Fernando de Oliveira Owned by: Fernando de Oliveira
Priority: high Milestone: 7.9
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

Security Update Release

CVE-2015-5289: json or jsonb input values constructed from arbitrary user input can crash the PostgreSQL server and cause a denial of service.

CVE-2015-5288: The crypt() function included with the optional pgCrypto extension could be exploited to read a few additional bytes of memory. No working exploit for this issue has been developed.

http://ftp.postgresql.org/pub/source/v9.4.5/postgresql-9.4.5.tar.bz2

http://ftp.postgresql.org/pub/source/v9.4.5/postgresql-9.4.5.tar.bz2.md5

8b2e3472a8dc786649b4d02d02e039a0

http://www.postgresql.org/about/news/1615/

http://www.postgresql.org/docs/current/static/release-9-4-5.html 

2015-10-08 Security Update Release
Posted on Oct. 8, 2015

The PostgreSQL Global Development Group has released an update to all
supported versions of our database system, including 9.4.5, 9.3.10,
9.2.14, 9.1.19 and 9.0.23. This release fixes two security issues, as
well as several bugs found over the last four months. Users vulnerable
to the security issues should update their installations immediately;
other users should update at the next scheduled downtime.  This is also
the final update release for major version 9.0.

Security Fixes

Two security issues have been fixed in this release which affect users
of specific PostgreSQL features:

CVE-2015-5289: json or jsonb input values constructed from arbitrary
user input can crash the PostgreSQL server and cause a denial of
service.

CVE-2015-5288: The crypt() function included with the optional pgCrypto
extension could be exploited to read a few additional bytes of memory.
No working exploit for this issue has been developed.

The PostgreSQL project thanks Josh Kupershmidt and Oskari Saarenmaa for
reporting these issues.

This update will also disable SSL renegotiation by default; previously,
it was enabled by default. SSL renegotiation will be removed entirely in
PostgreSQL versions 9.5 and later.

Other Fixes and Improvements

In addition to the above, many other issues were patched in this release
based on bugs reported by our users over the last few months. These
fixes include:

     • Prevent deeply nested regex, LIKE and SIMILAR matching from
       crashing the server
     • Multiple other fixes with regular expression handling
     • Ensure that ALTER TABLE sets all locks for CONSTRAINT
       modifications
     • Fix subtransaction cleanup when a cursor fails, preventing a
       crash
     • Prevent deadlock during WAL insertion when commit_delay is set
     • Fix locking during updating of updatable views
     • Prevent corruption of relation cache "init file"
     • Improve performance of large SPI query results
     • Improve LISTEN startup time
     • Disable SSL renegotiation by default
     • Lower minimum for *_freeze_max_age parameters
     • Limit the maximum for wal_buffers to 2GB
     • Guard against potential stack overflows in several areas
     • Fix handling of DOW and DOY in datetime input
     • Allow regular expression queries to be canceled sooner
     • Fix assorted planner bugs
     • Fix several shutdown issues in the postmaster
     • Make anti-wraparound autovacuuming more robust
     • Fix minor issues with GIN and SP-GiST indexes.
     • Fix several issues with PL/Python, PL/Perl and PL/Tcl
     • Improve pg_stat_statements' garbage collection
     • Improve collation handling in pgsql_fdw
     • Improve libpq's handling of out-of-memory conditions
     • Prevent psql crash when there is no current connection
     • Multiple fixes to pg_dump, including file and object permissions
     • Improve handling of privileges when dumping from old PostgreSQL
       versions
     • Fix issues with support of Alpha, PPC, AIX and Solaris platforms
     • Fix startup issue on Windows with Chinese locale
     • Fix Windows install.bat script to handle spaces in filenames
     • Make the numeric PostgreSQL version number available to
       extensions

This update also contains tzdata release 2015g, with updates for Cayman
Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey,
Uruguay, and the new zone America/Fort_Nelson.

Final Update for 9.0

9.0.23 is the final update for major version 9.0, which is now
End-Of-Life (EOL) as scheduled. Future security updates will not include
version 9.0. As such, users of that version should plan to upgrade to
another major version as soon as possible. For more information about
the community's support policy and EOL schedule, see the Versioning
Policy.

Updating

All PostgreSQL update releases are cumulative. As with other minor
releases, users are not required to dump and reload their database or
use pg_upgrade in order to apply this update release; you may simply
shut down PostgreSQL and update its binaries. Users who have skipped
multiple update releases may need to perform additional post-update
steps; see the Release Notes for details.

...

Change History (2)

comment:1 by Fernando de Oliveira, 9 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

comment:2 by Fernando de Oliveira, 9 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r16582.

Note: See TracTickets for help on using tickets.