Univention Bugzilla – Bug 41672
postgresql-9.1: Multiple issues (3.3)
Last modified: 2019-04-11 19:25:27 CEST
+++ This bug was initially created as a clone of Bug #40717 +++ Upstream Debian package version 9.1.20-0+deb7u1 fixes these issues: * Attackers may cause denial of service (server crash) or read arbitrary server memory via "too-short" crypt salts (CVE-2015-5288) * Privilege escalation vulnerability for users of PL/Java (CVE-2016-0766) * Denial of service and potential execution of arbitrary code due to buffer overrun in PL/Java regular expression processing (CVE-2016-0773)
Debian updated postgresql-9.1 to the new version 9.1.22-0+deb7u1, which fixes these issues: * Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection. * Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join * Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() These could advance off the end of the input string, causing subsequent format codes to read garbage. * Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT * Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines. * Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore. * Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function * Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.
Upstream Debian package version 9.1.23-0+deb7u1 fixes: * possible mis-evaluation of nested CASE-WHEN expressions (CVE-2016-5423) * Fix client programs' handling of special characters in database and role names (CVE-2016-5424) CVE-2016-5423: CVSS v2 base score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) CVE-2016-5424: CVSS v2 base score: 6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C)
This issue has been filled against UCS 3.3. The maintenance with bug and security fixes for UCS 3.3 has ended on 31st of December 2016. Customers still on UCS 3.3 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.