[Pkg-postgresql-public] New PostgreSQL releases on 2015-05-22

Christoph Berg myon at debian.org
Wed May 20 10:21:00 UTC 2015 

Hi,

PostgreSQL will be releasing new minor releases on Friday (usually
around 14 UTC+-1, that should be a good time for the DSAs). The
tarballs for the updates are not public yet, but the fixes are visible
in the upstream git, so there's no need to treat this as embargoed,
but there should still be a coordinated release.

As usual, we have half a dozen packages to update. Unless otherwise
noted, the packages are all affected three CVEs. I'll push the
9.4/unstable update in Friday. I can push the other packages earlier
for release on Friday if you permit.

postgresql-9.4:
  unstable+testing: 9.4.2-1
  jessie: 9.4.2-0+deb8u1

postgresql-9.1:
  unstable+testing: plperl-only compatibility package: rather than
    providing a fix I should use the opportunity to get the packages
    removed there
  jessie: plperl-only compatibility package, only affected by CVE-2015-3166
    9.1.16-0+deb8u1
  wheezy: 9.1.16-0+deb7u1

postgresql-8.4: (for reference, no security team action needed)
  unstable+testing+jessie: (not present)
  wheezy: plperl-only compatibility package, only affected by CVE-2015-3166
    -> will not get fixed (EOL upstream)
  squeeze-lts: 8.4.22lts2-0+deb6u1


Here's the changelog I'm using:

postgresql-9.4 (9.4.2-1) unstable; urgency=medium

  * New upstream version.

    + Avoid possible crash when client disconnects just before the
      authentication timeout expires (Benkocs Norbert Attila)

      If the timeout interrupt fired partway through the session shutdown
      sequence, SSL-related state would be freed twice, typically causing a
      crash and hence denial of service to other sessions.  Experimentation
      shows that an unauthenticated remote attacker could trigger the bug
      somewhat consistently, hence treat as security issue. (CVE-2015-3165)

    + Improve detection of system-call failures (Noah Misch)

      Our replacement implementation of snprintf() failed to check for errors
      reported by the underlying system library calls; the main case that
      might be missed is out-of-memory situations. In the worst case this
      might lead to information exposure, due to our code assuming that a
      buffer had been overwritten when it hadn't been. Also, there were a few
      places in which security-relevant calls of other system library
      functions did not check for failure.

      It remains possible that some calls of the *printf() family of functions
      are vulnerable to information disclosure if an out-of-memory error
      occurs at just the wrong time.  We judge the risk to not be large, but
      will continue analysis in this area. (CVE-2015-3166)

    + In contrib/pgcrypto, uniformly report decryption failures as Wrong key
      or corrupt data (Noah Misch)

      Previously, some cases of decryption with an incorrect key could report
      other error message texts.  It has been shown that such variance in
      error reports can aid attackers in recovering keys from other systems.
      While it's unknown whether pgcrypto's specific behaviors are likewise
      exploitable, it seems better to avoid the risk by using a
      one-size-fits-all message. (CVE-2015-3167)

    + Protect against wraparound of multixact member IDs
      (Álvaro Herrera, Robert Haas, Thomas Munro)

      Under certain usage patterns, the existing defenses against this might
      be insufficient, allowing pg_multixact/members files to be removed too
      early, resulting in data loss.
      The fix for this includes modifying the server to fail transactions that
      would result in overwriting old multixact member ID data, and improving
      autovacuum to ensure it will act proactively to prevent multixact member
      ID wraparound, as it does for transaction ID wraparound.

The 4th paragraph is not security-related, but a noteworthy fix (not
necessarily noteworthy to be mentioned in the DSA). (Of course there's
more fixes bundled.)

Christoph
-- 
cb at df7cb.de | http://www.df7cb.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20150520/36a0bebc/attachment.sig>

More information about the Pkg-postgresql-public mailing list