Bug 40800 – postgresql-8.4: Multiple issues (ES 3.1)

Bug 40800 - postgresql-8.4: Multiple issues (ES 3.1)


Summary:	postgresql-8.4: Multiple issues (ES 3.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.1
Hardware:	Other Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 3.1-ES
Assigned To:	Arvid Requate
QA Contact:	Janek Walkenhorst

URL:
Keywords:

Depends on:	40358
Blocks:
	Show dependency tree / graph

Reported:	2016-02-29 16:48 CET by Arvid Requate
Modified:	2016-04-12 19:36 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
3.1-postgresql-8.4.txt.asc (2.10 KB, text/plain) 2016-02-29 19:55 CET, Arvid Requate	Details
3.1-postgresql-8.4.txt.asc (2.10 KB, text/plain) 2016-03-22 19:52 CET, Arvid Requate	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-02-29 16:48:39 CET

Fix available in upstream Debian package version 8.4.22lts2-0+deb6u1:

* Denial of service due to double-free after authentication timeout (CVE-2015-3165)
* Information disclosure due to missing checks of return codes from the standard library (CVE-2015-3166)
* Inconsistent error messages from contrib/pgcrypto (CVE-2015-3167)

Comment 1 Arvid Requate

2016-02-29 16:50:31 CET

Fixed in 8.4.22lts4-0+deb6u1:

* Fix rare failure to invalidate relation cache init file (Tom Lane)

  With just the wrong timing of concurrent activity, a VACUUM  FULL
  on a system catalog might fail to update the init file that's used to
  avoid cache-loading work for new sessions.  This would result in
  later sessions being unable to access that catalog at all.
  This is a very ancient bug, but it's so hard to trigger that no
  reproducible case had been seen until recently. (No CVE)

Comment 2 Arvid Requate

2016-02-29 16:50:37 CET

Fix available in upstream Debian package version 8.4.22lts5-0+deb6u1:

* attackers may cause denial of service (server crash) or read arbitrary server memory via "too-short" crypt salts (CVE-2015-5288)

Comment 3 Arvid Requate

2016-02-29 16:50:53 CET

 Arvid Requate univentionstaff 2016-02-29 16:41:02 CET

Upstream Debian package version 8.4.22lts6-0+deb6u1 fixes this additional issue:

* Denial of service and potential execution of arbitrary code due to buffer overrun in PL/Java regular expression processing (CVE-2016-0773)

Comment 4 Arvid Requate

2016-02-29 19:55:50 CET

Created attachment 7506 [details]
3.1-postgresql-8.4.txt.asc

The upstream package version has been imported and built in extsec3.1.
The advisory draft is attached.

Comment 5 Janek Walkenhorst

2016-03-02 17:43:43 CET

Tests (i386/amd64): OK
Advisory: Typo in version number

Comment 6 Arvid Requate

2016-03-22 19:52:56 CET

Created attachment 7551 [details]
3.1-postgresql-8.4.txt.asc

Comment 7 Janek Walkenhorst

2016-04-05 18:26:57 CEST

Tests (i386/amd64): OK
Advisory: OK

Comment 8 Janek Walkenhorst

2016-04-12 19:36:41 CEST

Released