desktop-packages team mailing list archive

Thread
Date

[Bug 1504132] Re: New upstream microreleases 9.1.19, 9.3.10, 9.4.5

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1504132@xxxxxxxxxxxxxxxxxx>
Date: Fri, 16 Oct 2015 01:44:13 -0000
Reply-to: Bug 1504132 <1504132@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package postgresql-9.3 - 9.3.10-0ubuntu0.14.04

---------------
postgresql-9.3 (9.3.10-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream security/bug fix release: (LP: #1504132)
    - Guard against stack overflows in json parsing.
      If an application constructs PostgreSQL json or jsonb values from
      arbitrary user input, the application's users can reliably crash the
      PostgreSQL server, causing momentary denial of service.  (CVE-2015-5289)

    - Fix contrib/pgcrypto to detect and report too-short crypt() salts
      Certain invalid salt arguments crashed the server or disclosed a few
      bytes of server memory.  We have not ruled out the viability of attacks
      that arrange for presence of confidential information in the disclosed
      bytes, but they seem unlikely.  (CVE-2015-5288)

    - See release notes for details about other fixes.

 -- Martin Pitt <martin.pitt@xxxxxxxxxx>  Thu, 08 Oct 2015 15:42:16
+0200

** Changed in: postgresql-9.4 (Ubuntu Vivid)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to postgresql-9.1 in Ubuntu.
https://bugs.launchpad.net/bugs/1504132

Title:
  New upstream microreleases 9.1.19, 9.3.10, 9.4.5

Status in postgresql-9.1 package in Ubuntu:
  Invalid
Status in postgresql-9.3 package in Ubuntu:
  Invalid
Status in postgresql-9.4 package in Ubuntu:
  Fix Released
Status in postgresql-9.1 source package in Precise:
  In Progress
Status in postgresql-9.1 source package in Trusty:
  Fix Released
Status in postgresql-9.3 source package in Trusty:
  Fix Released
Status in postgresql-9.4 source package in Vivid:
  Fix Released
Status in postgresql-9.4 source package in Wily:
  Fix Released

Bug description:
  Today PostgreSQL published new microreleases. They fix two CVEs, and
  the usual bunch of bugs: http://www.postgresql.org/about/news/1615/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postgresql-9.1/+bug/1504132/+subscriptions

References

[Bug 1504132] [NEW] New upstream microreleases 9.1.19, 9.3.10, 9.4.5
From: Martin Pitt, 2015-10-08