1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3269-1] postgresql-9.1 security update

    From Christoph Berg@1:229/2 to All on Fri May 22 17:30:01 2015
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3269-1 [email protected] http://www.debian.org/security/ Christoph Berg
    May 22, 2015 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : postgresql-9.1
    CVE ID : CVE-2015-3165 CVE-2015-3166 CVE-2015-3167

    Several vulnerabilities have been found in PostgreSQL-9.1, a SQL
    database system.

    CVE-2015-3165 (Remote crash)

    SSL clients disconnecting just before the authentication timeout
    expires can cause the server to crash.

    CVE-2015-3166 (Information exposure)

    The replacement implementation of snprintf() failed to check for
    errors reported by the underlying system library calls; the main
    case that might be missed is out-of-memory situations. In the worst
    case this might lead to information exposure.

    CVE-2015-3167 (Possible side-channel key exposure)

    In contrib/pgcrypto, some cases of decryption with an incorrect key
    could report other error message texts. Fix by using a
    one-size-fits-all message.

    For the oldstable distribution (wheezy), these problems have been fixed
    in version 9.1.16-0+deb7u1.

    For the stable distribution (jessie), these problems have been fixed in
    version 9.1.16-0+deb8u1. (Jessie contains a reduced postgresql-9.1
    package; only CVE-2015-3166 is fixed in the produced binary package postgresql-plperl-9.1. We recommend to upgrade to postgresql-9.4 to get
    the full set of fixes. See the Jessie release notes for details.)

    The testing distribution (stretch) and the unstable distribution (sid)
    do not contain the postgresql-9.1 package.

    We recommend that you upgrade your postgresql-9.1 packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJVX0Y1AAoJEAVMuPMTQ89EVJYP/3KmCAo+qajcPllCtIqJ+Bxa 072iEGPz2QId5AOsAlWJ6Oi0iOSTPltrY/Mch8WLGovchBrpRpZNQpcGnRAWMst9 BbA3teZtFpeDuWk82rXAkIztquvsJfbzD9BKSuzmYNK5N+bCmcTGu024LA1qyG/M xFeE72tcWcUySL3sUkWnVrJqWhU5u5kodpBT1mtjLOwX+GF1DkZV1dwr7NiaEs4A qMYv+xi+ZZrEdKQ2UYUuGcPY4Z5/4XIj4/qaap5p8cv7yJ/MBr7+G7UM/bYpQ4dz qfCyGIXARAcT21bjIRVOl8K45nSDzEDk3D4DLrlIGgqOKz1+72dv4P/fJcUsUVhN kUkK1qX2Ef2nSXgzedoy+M+MiAP+B0NbCf/48ORazXiVkI6eojjJYO6TXmCZ+M6E uyt+ff4AkVm3qVRahj6JI7RW8qbTDUsQWtrCb7pZa9Dfkv3lAq7kC+q+QLTQxl9e IkIGAT1sKLCpwVI1K6qqPp8s2Jg8pQLScxsKUN0PX0OJ++AhCYqtUymf6YgCtXbF I7PZP915LniPpNsM/VUtEkHJ8thYGvQ+DZOBBb9g4KVsZdcb+xDbCOnuojOyRVt0 4IEpx6AOcCnEnCwsyGek/j+9fTej1jf227dM17XofER9zArK/re5g6GKw9fqJSq6 bJoIGcHHP1SYqFW8omHS
    =G0/U
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)