Bug 38607

Summary:	postgresql-8.4: Multiple issues (3.2)
Product:	UCS	Reporter:	Arvid Requate <requate>
Component:	Security updates	Assignee:	Janek Walkenhorst <walkenhorst>
Status:	CLOSED FIXED	QA Contact:	Felix Botner <botner>
Severity:	normal
Priority:	P3	CC:	gohmann
Version:	UCS 3.2	Flags:	requate: Patch_Available+
Target Milestone:	UCS 3.2-7-errata
Hardware:	Other
OS:	Linux
What kind of report is it?:	---	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):	Security
Max CVSS v3 score:

Description Arvid Requate

2015-05-26 20:44:06 CEST

Fix available in upstream Debian package version 8.4.22lts2-0+deb6u1:

* Denial of service due to double-free after authentication timeout (CVE-2015-3165)
* Information disclosure due to missing checks of return codes from the standard library (CVE-2015-3166)
* Inconsistent error messages from contrib/pgcrypto (CVE-2015-3167)

Comment 1 Arvid Requate

2015-07-13 13:18:24 CEST

Fixed in 8.4.22lts4-0+deb6u1:

* Fix rare failure to invalidate relation cache init file (Tom Lane)

  With just the wrong timing of concurrent activity, a VACUUM  FULL
  on a system catalog might fail to update the init file that's used to
  avoid cache-loading work for new sessions.  This would result in
  later sessions being unable to access that catalog at all.
  This is a very ancient bug, but it's so hard to trigger that no
  reproducible case had been seen until recently. (No CVE)

Comment 2 Janek Walkenhorst

2015-09-17 18:49:07 CEST

Tests (i386): OK
Advisory: 2015-09-17-postgresql-8.4.yaml

Comment 3 Felix Botner

2015-10-05 11:07:56 CEST

* OK - installation/update
* OK - tests
* OK - update to 4.0
* OK - YAML

Comment 4 Janek Walkenhorst

2015-10-14 14:04:49 CEST

<http://errata.software-univention.de/ucs/3.2/373.html>