This update fixes three security vulnerabilities reported in PostgreSQL over the past few months. Nether of these issues is seen as particularly urgent. However, users should examine them in case their installations are vulnerable: CVE-2015-3165 Double "free" after authentication timeout. CVE-2015-3166 Unanticipated errors from the standard library. CVE-2015-3167 pgcrypto has multiple error messages for decryption with an incorrect key. Additionally, we are recommending that all users who use Kerberos, GSSAPI, or SSPI authentication set include_realm to 1 in pg_hba.conf, which will become the default in future versions. More information about these issues, as well as older patched issues, is available on the PostgreSQL Security Page. ======================================================================== CVEs have not yet been updated. Full details will be forthcoming shortly, I'm sure.
*postgresql-9.4.2 (22 May 2015) *postgresql-9.3.7 (22 May 2015) *postgresql-9.2.11 (22 May 2015) *postgresql-9.1.16 (22 May 2015) *postgresql-9.0.20 (22 May 2015) 22 May 2015; Aaron W. Swenson <titanofold@gentoo.org> +postgresql-9.0.20.ebuild, +postgresql-9.1.16.ebuild, +postgresql-9.2.11.ebuild, +postgresql-9.3.7.ebuild, +postgresql-9.4.2.ebuild, postgresql-9999.ebuild: Version bump. Fixes multiple vulnerabilities (CVE-2015-{3165,3166,3167}). Addresses bug 550172. Live ebuild now builds everything unconditionally as makefiles will change without notice.
Stable for HPPA PPC64.
amd64 stable
x86 stable
https://wiki.postgresql.org/wiki/May_2015_Fsync_Permissions_Bug Another update is coming soon because of the above bug. As mentioned previously, the security bugs fixed with this version are *not* considered urgent. Should we put the packages back into testing?
(In reply to Aaron W. Swenson from comment #5) > Should we put the packages back into testing? No. When packages area available, just readd who has already stabilized.
arm stable
The latest version resolves an issue with file permissions that can prevent PostgreSQL from starting after a crash, so please use these new targets: =dev-db/postgresql-9.0.21 =dev-db/postgresql-9.1.17 =dev-db/postgresql-9.2.12 =dev-db/postgresql-9.3.8 =dev-db/postgresql-9.4.3
CVE-2015-3165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3165): Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence.
ppc stable
ia64 stable
sparc stable
alpha stable Cleanup, please! GLSA vote: No.
GLSA Vote: No
28 Jun 2015; Aaron W. Swenson <titanofold@gentoo.org> -postgresql-9.0.19.ebuild, -postgresql-9.0.19-r1.ebuild, -postgresql-9.0.20.ebuild, -postgresql-9.1.15.ebuild, -postgresql-9.1.15-r1.ebuild, -postgresql-9.1.16.ebuild, -postgresql-9.2.10.ebuild, -postgresql-9.2.10-r1.ebuild, -postgresql-9.2.11.ebuild, -postgresql-9.3.6.ebuild, -postgresql-9.3.6-r1.ebuild, -postgresql-9.3.7.ebuild, -postgresql-9.4.1.ebuild, -postgresql-9.4.1-r1.ebuild, -postgresql-9.4.2.ebuild: Cleanup insecure and buggy versions.
Arches and Maintainer(s), Thank you for your work.
It makes no sense to release a GLSA for bug 539018 and not include this, when this bug has the currently-stable versions in the tree. Added to existing GLSA draft.
This issue was resolved and addressed in GLSA 201507-20 at https://security.gentoo.org/glsa/201507-20 by GLSA coordinator Mikle Kolyada (Zlogene).