desktop-packages team mailing list archive

Thread
Date

[Bug 1457093] Re: New upstream microreleases 9.1.16, 9.3.7, 9.4.2

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1457093@xxxxxxxxxxxxxxxxxx>
Date: Mon, 25 May 2015 11:16:20 -0000
Reply-to: Bug 1457093 <1457093@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package postgresql-9.1 - 9.1.16-0ubuntu0.14.04

---------------
postgresql-9.1 (9.1.16-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream security/bug fix release (LP: #1457093)
    - Improve detection of system-call failures
      Our replacement implementation of snprintf() failed to check for errors
      reported by the underlying system library calls; the main case that
      might be missed is out-of-memory situations. In the worst case this
      might lead to information exposure, due to our code assuming that a
      buffer had been overwritten when it hadn't been. Also, there were a few
      places in which security-relevant calls of other system library
      functions did not check for failure.
      It remains possible that some calls of the *printf() family of functions
      are vulnerable to information disclosure if an out-of-memory error
      occurs at just the wrong time.  We judge the risk to not be large, but
      will continue analysis in this area. (CVE-2015-3166)
   - Note: The other vulnerabilities fixed in 9.1.16 don't affect this version
     as we build the PL/Perl package only.

 -- Martin Pitt <martin.pitt@xxxxxxxxxx>  Wed, 20 May 2015 23:16:18
+0200

** Changed in: postgresql-9.1 (Ubuntu Trusty)
       Status: In Progress => Fix Released

** Changed in: postgresql-9.1 (Ubuntu Precise)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to postgresql-9.1 in Ubuntu.
https://bugs.launchpad.net/bugs/1457093

Title:
  New upstream microreleases 9.1.16, 9.3.7, 9.4.2

Status in postgresql-9.1 package in Ubuntu:
  Invalid
Status in postgresql-9.3 package in Ubuntu:
  Invalid
Status in postgresql-9.4 package in Ubuntu:
  Fix Committed
Status in postgresql-9.1 source package in Precise:
  Fix Released
Status in postgresql-9.1 source package in Trusty:
  Fix Released
Status in postgresql-9.3 source package in Trusty:
  Fix Released
Status in postgresql-9.4 source package in Utopic:
  Fix Released
Status in postgresql-9.4 source package in Vivid:
  Fix Released
Status in postgresql-9.4 source package in Wily:
  Fix Committed

Bug description:
  PostgreSQL will push out new microreleases on Friday, 2015-05-22. The
  tarballs for the updates are not public yet, but the fixes are visible
  in the upstream git, so there's no need to treat this as embargoed,
  but there should still be a coordinated release. These fix a couple of
  security issues, as well as the usual set of bug fixes.

  Upstream announcement: http://www.postgresql.org/about/news/1587/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postgresql-9.1/+bug/1457093/+subscriptions

References

[Bug 1457093] [NEW] New upstream microreleases 9.1.16, 9.3.7, 9.4.2
From: Martin Pitt, 2015-05-20