Bug 40800

Summary: postgresql-8.4: Multiple issues (ES 3.1)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Janek Walkenhorst <walkenhorst>
Severity: normal    
Priority: P3 CC: requate
Version: UCS 3.1Flags: requate: Patch_Available+
Target Milestone: UCS 3.1-ES   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on: 40358    
Bug Blocks:    
Attachments: 3.1-postgresql-8.4.txt.asc
3.1-postgresql-8.4.txt.asc

Description Arvid Requate univentionstaff 2016-02-29 16:48:39 CET 
Fix available in upstream Debian package version 8.4.22lts2-0+deb6u1:

* Denial of service due to double-free after authentication timeout (CVE-2015-3165)
* Information disclosure due to missing checks of return codes from the standard library (CVE-2015-3166)
* Inconsistent error messages from contrib/pgcrypto (CVE-2015-3167)
Comment 1 Arvid Requate univentionstaff 2016-02-29 16:50:31 CET 
Fixed in 8.4.22lts4-0+deb6u1:

* Fix rare failure to invalidate relation cache init file (Tom Lane)

  With just the wrong timing of concurrent activity, a VACUUM  FULL
  on a system catalog might fail to update the init file that's used to
  avoid cache-loading work for new sessions.  This would result in
  later sessions being unable to access that catalog at all.
  This is a very ancient bug, but it's so hard to trigger that no
  reproducible case had been seen until recently. (No CVE)
Comment 2 Arvid Requate univentionstaff 2016-02-29 16:50:37 CET 
Fix available in upstream Debian package version 8.4.22lts5-0+deb6u1:

* attackers may cause denial of service (server crash) or read arbitrary server memory via "too-short" crypt salts (CVE-2015-5288)
Comment 3 Arvid Requate univentionstaff 2016-02-29 16:50:53 CET 
 Arvid Requate univentionstaff 2016-02-29 16:41:02 CET

Upstream Debian package version 8.4.22lts6-0+deb6u1 fixes this additional issue:

* Denial of service and potential execution of arbitrary code due to buffer overrun in PL/Java regular expression processing (CVE-2016-0773)
Comment 4 Arvid Requate univentionstaff 2016-02-29 19:55:50 CET 
Created attachment 7506 [details]
3.1-postgresql-8.4.txt.asc

The upstream package version has been imported and built in extsec3.1.
The advisory draft is attached.
Comment 5 Janek Walkenhorst univentionstaff 2016-03-02 17:43:43 CET 
Tests (i386/amd64): OK
Advisory: Typo in version number
Comment 6 Arvid Requate univentionstaff 2016-03-22 19:52:56 CET 
Created attachment 7551 [details]
3.1-postgresql-8.4.txt.asc
Comment 7 Janek Walkenhorst univentionstaff 2016-04-05 18:26:57 CEST 
Tests (i386/amd64): OK
Advisory: OK
Comment 8 Janek Walkenhorst univentionstaff 2016-04-12 19:36:41 CEST 
Released