Univention Bugzilla – Bug 40717
postgresql-9.1: Multiple issues (4.1)
Last modified: 2016-11-23 14:34:19 CET
Upstream Debian package version 9.1.20-0+deb7u1 fixes these issues: * Attackers may cause denial of service (server crash) or read arbitrary server memory via "too-short" crypt salts (CVE-2015-5288) * Privilege escalation vulnerability for users of PL/Java (CVE-2016-0766) * Denial of service and potential execution of arbitrary code due to buffer overrun in PL/Java regular expression processing (CVE-2016-0773)
Debian updated postgresql-9.1 to the new version 9.1.22-0+deb7u1, which fixes these issues: * Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection. * Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join * Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() These could advance off the end of the input string, causing subsequent format codes to read garbage. * Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT * Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines. * Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore. * Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function * Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.
Upstream Debian package version 9.1.23-0+deb7u1 fixes: * possible mis-evaluation of nested CASE-WHEN expressions (CVE-2016-5423) * Fix client programs' handling of special characters in database and role names (CVE-2016-5424) CVE-2016-5423: CVSS v2 base score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) CVE-2016-5424: CVSS v2 base score: 6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C)
Upstream package version 9.1.24-0+deb7u1 fixes a couple of stability issues: * https://www.postgresql.org/docs/9.1/static/release-9-1-24.html
Package imported and built. Advisory: postgresql-9.1.yaml
OK - CVE-2015-5288, CVE-2016-0766, CVE-2016-0773, CVE-2016-5423, CVE-2016-5424 OK - install/update OK - YAML
<http://errata.software-univention.de/ucs/4.1/329.html>