Univention Bugzilla – Bug 40800
postgresql-8.4: Multiple issues (ES 3.1)
Last modified: 2016-04-12 19:36:41 CEST
Fix available in upstream Debian package version 8.4.22lts2-0+deb6u1: * Denial of service due to double-free after authentication timeout (CVE-2015-3165) * Information disclosure due to missing checks of return codes from the standard library (CVE-2015-3166) * Inconsistent error messages from contrib/pgcrypto (CVE-2015-3167)
Fixed in 8.4.22lts4-0+deb6u1: * Fix rare failure to invalidate relation cache init file (Tom Lane) With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the init file that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently. (No CVE)
Fix available in upstream Debian package version 8.4.22lts5-0+deb6u1: * attackers may cause denial of service (server crash) or read arbitrary server memory via "too-short" crypt salts (CVE-2015-5288)
Arvid Requate univentionstaff 2016-02-29 16:41:02 CET Upstream Debian package version 8.4.22lts6-0+deb6u1 fixes this additional issue: * Denial of service and potential execution of arbitrary code due to buffer overrun in PL/Java regular expression processing (CVE-2016-0773)
Created attachment 7506 [details] 3.1-postgresql-8.4.txt.asc The upstream package version has been imported and built in extsec3.1. The advisory draft is attached.
Tests (i386/amd64): OK Advisory: Typo in version number
Created attachment 7551 [details] 3.1-postgresql-8.4.txt.asc
Tests (i386/amd64): OK Advisory: OK
Released