| Summary: | postgresql new security issues fixed upstream in 9.4.2, 9.3.7, 9.2.11, 9.1.16, and 9.0.20 (CVE-2015-316[5-7]) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, oe, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/645926/ | ||
| Whiteboard: | has_procedure MGA4-32-OK MGA4-64-OK advisory | ||
| Source RPM: | postgresql | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-05-23 12:46:18 CEST
David Walser
2015-05-23 12:46:38 CEST
CC:
(none) =>
oe Ubuntu has issued an advisory for this on May 25: http://www.ubuntu.com/usn/usn-2621-1/ URL:
(none) =>
http://lwn.net/Vulnerabilities/645926/ PostgreSQL 9.4.3, 9.3.8, 9.2.12, 9.1.17 & 9.0.21 have been released, fixing a regression from the previous update: http://www.postgresql.org/about/news/1590/ PostgreSQL 9.4.4, 9.3.9, 9.2.13, 9.1.18 & 9.0.22 have been released, fixing another regressions: http://www.postgresql.org/about/news/1592/ Updates for 9.3 and 9.4 checked into Cauldron SVN. Freeze push requested. Summary:
postgresql new security issues fixed upstream in 9.4.2, 9.3.7, 9.2.11, 9.1.16, and 9.0.20 =>
postgresql new security issues fixed upstream in 9.4.2, 9.3.7, 9.2.11, 9.1.16, and 9.0.20 (CVE-2015-316[5-7]) Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated postgresql packages fix security vulnerabilities: Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence (CVE-2015-3165). The replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure (CVE-2015-3166). In contrib/pgcrypto, some cases of decryption with an incorrect key could report other error message texts, possibly leading to a side-channel key exposure (CVE-2015-3167). The postgresql9.0, postgresql9.1, postgresql9.2, and postgresql9.3 packages have been updated to versions 9.0.22, 9.1.18, 9.2.13, and 9.3.9, respectively, fixing these issues, as well as some data corruption issues. See the upstream release notes for more details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3167 http://www.postgresql.org/about/news/1587/ http://www.postgresql.org/about/news/1590/ http://www.postgresql.org/about/news/1592/ https://www.debian.org/security/2015/dsa-3269 ======================== Updated packages in core/updates_testing: ======================== postgresql9.0-9.0.22-1.mga4 libpq9.0_5.3-9.0.22-1.mga4 libecpg9.0_6-9.0.22-1.mga4 postgresql9.0-server-9.0.22-1.mga4 postgresql9.0-docs-9.0.22-1.mga4 postgresql9.0-contrib-9.0.22-1.mga4 postgresql9.0-devel-9.0.22-1.mga4 postgresql9.0-pl-9.0.22-1.mga4 postgresql9.0-plpython-9.0.22-1.mga4 postgresql9.0-plperl-9.0.22-1.mga4 postgresql9.0-pltcl-9.0.22-1.mga4 postgresql9.0-plpgsql-9.0.22-1.mga4 postgresql9.1-9.1.18-1.mga4 libpq9.1_5.4-9.1.18-1.mga4 libecpg9.1_6-9.1.18-1.mga4 postgresql9.1-server-9.1.18-1.mga4 postgresql9.1-docs-9.1.18-1.mga4 postgresql9.1-contrib-9.1.18-1.mga4 postgresql9.1-devel-9.1.18-1.mga4 postgresql9.1-pl-9.1.18-1.mga4 postgresql9.1-plpython-9.1.18-1.mga4 postgresql9.1-plperl-9.1.18-1.mga4 postgresql9.1-pltcl-9.1.18-1.mga4 postgresql9.1-plpgsql-9.1.18-1.mga4 postgresql9.2-9.2.13-1.mga4 libpq9.2_5.5-9.2.13-1.mga4 libecpg9.2_6-9.2.13-1.mga4 postgresql9.2-server-9.2.13-1.mga4 postgresql9.2-docs-9.2.13-1.mga4 postgresql9.2-contrib-9.2.13-1.mga4 postgresql9.2-devel-9.2.13-1.mga4 postgresql9.2-pl-9.2.13-1.mga4 postgresql9.2-plpython-9.2.13-1.mga4 postgresql9.2-plperl-9.2.13-1.mga4 postgresql9.2-pltcl-9.2.13-1.mga4 postgresql9.2-plpgsql-9.2.13-1.mga4 postgresql9.3-9.3.9-1.mga4 libpq9.3_5-9.3.9-1.mga4 libecpg9.3_6-9.3.9-1.mga4 postgresql9.3-server-9.3.9-1.mga4 postgresql9.3-docs-9.3.9-1.mga4 postgresql9.3-contrib-9.3.9-1.mga4 postgresql9.3-devel-9.3.9-1.mga4 postgresql9.3-pl-9.3.9-1.mga4 postgresql9.3-plpython-9.3.9-1.mga4 postgresql9.3-plperl-9.3.9-1.mga4 postgresql9.3-pltcl-9.3.9-1.mga4 postgresql9.3-plpgsql-9.3.9-1.mga4 from SRPMS: postgresql9.0-9.0.22-1.mga4.src.rpm postgresql9.1-9.1.18-1.mga4.src.rpm postgresql9.2-9.2.13-1.mga4.src.rpm postgresql9.3-9.3.9-1.mga4.src.rpm Version:
Cauldron =>
4 MGA4-64 on HP Probook6555b KDE Installing the 9.3 version (did not have any version installed previously): no installation issues. Can start postgres at the CLI, and I am able to access it via pgAdminIII. Is that sufficient as test? CC:
(none) =>
herman.viaene I think so. Just make sure to test 9.2, 9.1, and 9.0 as well. Thanks! And idem fo versions 9.0 and 9.1 Whiteboard:
(none) =>
has_procedure MGA4-64-OK MGA4-32 on AcerD620 Xfce. No installation issues. All versions tested as above and all OK. Whiteboard:
has_procedure MGA4-64-OK =>
has_procedure MGA4-32-OK MGA4-64-OK
Dave Hodgins
2015-07-01 01:56:00 CEST
Keywords:
(none) =>
validated_update Advisory committed to svn. Someone from the sysadmin team please push 16027 to updates for Mageia 4. An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0250.html Status:
NEW =>
RESOLVED |