desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #120492
[Bug 1457093] Re: New upstream microreleases 9.1.16, 9.3.7, 9.4.2
This bug was fixed in the package postgresql-9.4 - 9.4.2-0ubuntu0.15.04
---------------
postgresql-9.4 (9.4.2-0ubuntu0.15.04) vivid-security; urgency=medium
* New upstream security/bug fix release (LP: #1457093)
- Avoid possible crash when client disconnects just before the
authentication timeout expires.
If the timeout interrupt fired partway through the session shutdown
sequence, SSL-related state would be freed twice, typically causing a
crash and hence denial of service to other sessions. Experimentation
shows that an unauthenticated remote attacker could trigger the bug
somewhat consistently, hence treat as security issue. (CVE-2015-3165)
- Improve detection of system-call failures
Our replacement implementation of snprintf() failed to check for errors
reported by the underlying system library calls; the main case that
might be missed is out-of-memory situations. In the worst case this
might lead to information exposure, due to our code assuming that a
buffer had been overwritten when it hadn't been. Also, there were a few
places in which security-relevant calls of other system library
functions did not check for failure.
It remains possible that some calls of the *printf() family of functions
are vulnerable to information disclosure if an out-of-memory error
occurs at just the wrong time. We judge the risk to not be large, but
will continue analysis in this area. (CVE-2015-3166)
- In contrib/pgcrypto, uniformly report decryption failures as Wrong key
or corrupt data
Previously, some cases of decryption with an incorrect key could report
other error message texts. It has been shown that such variance in
error reports can aid attackers in recovering keys from other systems.
While it's unknown whether pgcrypto's specific behaviors are likewise
exploitable, it seems better to avoid the risk by using a
one-size-fits-all message. (CVE-2015-3167)
- Protect against wraparound of multixact member IDs
Under certain usage patterns, the existing defenses against this might
be insufficient, allowing pg_multixact/members files to be removed too
early, resulting in data loss.
The fix for this includes modifying the server to fail transactions that
would result in overwriting old multixact member ID data, and improving
autovacuum to ensure it will act proactively to prevent multixact member
ID wraparound, as it does for transaction ID wraparound.
- See release notes for details about other fixes.
-- Martin Pitt <martin.pitt@xxxxxxxxxx> Wed, 20 May 2015 17:44:27
+0200
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to postgresql-9.1 in Ubuntu.
https://bugs.launchpad.net/bugs/1457093
Title:
New upstream microreleases 9.1.16, 9.3.7, 9.4.2
Status in postgresql-9.1 package in Ubuntu:
Invalid
Status in postgresql-9.3 package in Ubuntu:
Invalid
Status in postgresql-9.4 package in Ubuntu:
Fix Committed
Status in postgresql-9.1 source package in Precise:
Fix Released
Status in postgresql-9.1 source package in Trusty:
Fix Released
Status in postgresql-9.3 source package in Trusty:
Fix Released
Status in postgresql-9.4 source package in Utopic:
Fix Released
Status in postgresql-9.4 source package in Vivid:
Fix Released
Status in postgresql-9.4 source package in Wily:
Fix Committed
Bug description:
PostgreSQL will push out new microreleases on Friday, 2015-05-22. The
tarballs for the updates are not public yet, but the fixes are visible
in the upstream git, so there's no need to treat this as embargoed,
but there should still be a coordinated release. These fix a couple of
security issues, as well as the usual set of bug fixes.
Upstream announcement: http://www.postgresql.org/about/news/1587/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postgresql-9.1/+bug/1457093/+subscriptions
References
