2015-10-08 Security Update Release Posted on Oct. 8, 2015 The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 9.4.5, 9.3.10, 9.2.14, 9.1.19 and 9.0.23. This release fixes two security issues, as well as several bugs found over the last four months. Users vulnerable to the security issues should update their installations immediately; other users should update at the next scheduled downtime. This is also the final update release for major version 9.0. Security Fixes Two security issues have been fixed in this release which affect users of specific PostgreSQL features: CVE-2015-5289: json or jsonb input values constructed from arbitrary user input can crash the PostgreSQL server and cause a denial of service. CVE-2015-5288: The crypt() function included with the optional pgCrypto extension could be exploited to read a few additional bytes of memory. No working exploit for this issue has been developed. The PostgreSQL project thanks Josh Kupershmidt and Oskari Saarenmaa for reporting these issues. This update will also disable SSL renegotiation by default; previously, it was enabled by default. SSL renegotiation will be removed entirely in PostgreSQL versions 9.5 and later. Other Fixes and Improvements In addition to the above, many other issues were patched in this release based on bugs reported by our users over the last few months. These fixes include: Prevent deeply nested regex, LIKE and SIMILAR matching from crashing the server Multiple other fixes with regular expression handling Ensure that ALTER TABLE sets all locks for CONSTRAINT modifications Fix subtransaction cleanup when a cursor fails, preventing a crash Prevent deadlock during WAL insertion when commit_delay is set Fix locking during updating of updatable views Prevent corruption of relation cache "init file" Improve performance of large SPI query results Improve LISTEN startup time Disable SSL renegotiation by default Lower minimum for *_freeze_max_age parameters Limit the maximum for wal_buffers to 2GB Guard against potential stack overflows in several areas Fix handling of DOW and DOY in datetime input Allow regular expression queries to be canceled sooner Fix assorted planner bugs Fix several shutdown issues in the postmaster Make anti-wraparound autovacuuming more robust Fix minor issues with GIN and SP-GiST indexes. Fix several issues with PL/Python, PL/Perl and PL/Tcl Improve pg_stat_statements' garbage collection Improve collation handling in pgsql_fdw Improve libpq's handling of out-of-memory conditions Prevent psql crash when there is no current connection Multiple fixes to pg_dump, including file and object permissions Improve handling of privileges when dumping from old PostgreSQL versions Fix issues with support of Alpha, PPC, AIX and Solaris platforms Fix startup issue on Windows with Chinese locale Fix Windows install.bat script to handle spaces in filenames Make the numeric PostgreSQL version number available to extensions
New versions in tree. Targets are: =dev-db/postgresql-9.0.23 =dev-db/postgresql-9.1.19 =dev-db/postgresql-9.2.14 =dev-db/postgresql-9.3.10 =dev-db/postgresql-9.4.5
Stable for PPC64.
amd64 stable
x86 stable
Stable for HPPA.
ppc stable
ia64 stable
sparc stable
arm stable
alpha stable. Maintainer(s), please cleanup. Security, please vote.
Arches, Thank you for your work. GLSA Vote: Yes Maintainer(s), please drop the vulnerable version(s).
(In reply to Yury German from comment #11) > Arches, Thank you for your work. > GLSA Vote: Yes > > Maintainer(s), please drop the vulnerable version(s). Dropped.
GLSA vote: yes
This issue was resolved and addressed in GLSA 201701-33 at https://security.gentoo.org/glsa/201701-33 by GLSA coordinator Aaron Bauman (b-man).
