Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 550172

Summary: <dev-db/postgresql-{9.0.21,9.1.17,9.2.12,9.3.8,9.4.3}: Multiple Vulnerabilities (CVE-2015-{3165,3166,3167})
Product: Gentoo Security Reporter: Aaron W. Swenson <titanofold>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: bruce, pgsql-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---

Description Aaron W. Swenson gentoo-dev 2015-05-22 13:57:18 UTC 
This update fixes three security vulnerabilities reported in
PostgreSQL over the past few months. Nether of these issues is seen as
particularly urgent. However, users should examine them in case their
installations are vulnerable:

    CVE-2015-3165 Double "free" after authentication timeout.
    CVE-2015-3166 Unanticipated errors from the standard library.
    CVE-2015-3167 pgcrypto has multiple error messages for decryption
                  with an incorrect key.

Additionally, we are recommending that all users who use Kerberos,
GSSAPI, or SSPI authentication set include_realm to 1 in pg_hba.conf,
which will become the default in future versions.

More information about these issues, as well as older patched issues,
is available on the PostgreSQL Security Page.

========================================================================

CVEs have not yet been updated. Full details will be forthcoming
shortly, I'm sure.
Comment 1 Aaron W. Swenson gentoo-dev 2015-05-22 14:07:43 UTC 
*postgresql-9.4.2 (22 May 2015)
*postgresql-9.3.7 (22 May 2015)
*postgresql-9.2.11 (22 May 2015)
*postgresql-9.1.16 (22 May 2015)
*postgresql-9.0.20 (22 May 2015)

  22 May 2015; Aaron W. Swenson <titanofold@gentoo.org>
  +postgresql-9.0.20.ebuild, +postgresql-9.1.16.ebuild,
  +postgresql-9.2.11.ebuild, +postgresql-9.3.7.ebuild,
  +postgresql-9.4.2.ebuild, postgresql-9999.ebuild:
  Version bump. Fixes multiple vulnerabilities (CVE-2015-{3165,3166,3167}).
  Addresses bug 550172. Live ebuild now builds everything unconditionally as
  makefiles will change without notice.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-25 04:26:24 UTC 
Stable for HPPA PPC64.
Comment 3 Agostino Sarubbo gentoo-dev 2015-05-25 16:07:06 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-05-25 16:07:27 UTC 
x86 stable
Comment 5 Aaron W. Swenson gentoo-dev 2015-05-26 20:56:23 UTC 
https://wiki.postgresql.org/wiki/May_2015_Fsync_Permissions_Bug

Another update is coming soon because of the above bug.

As mentioned previously, the security bugs fixed with this version are *not* considered urgent.

Should we put the packages back into testing?
Comment 6 Agostino Sarubbo gentoo-dev 2015-05-27 08:19:27 UTC 
(In reply to Aaron W. Swenson from comment #5)
> Should we put the packages back into testing?

No. When packages area available, just readd who has already stabilized.
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-05-31 12:24:49 UTC 
arm stable
Comment 8 Aaron W. Swenson gentoo-dev 2015-06-04 19:45:09 UTC 
The latest version resolves an issue with file permissions that can prevent PostgreSQL from starting after a crash, so please use these new targets:

=dev-db/postgresql-9.0.21
=dev-db/postgresql-9.1.17
=dev-db/postgresql-9.2.12
=dev-db/postgresql-9.3.8
=dev-db/postgresql-9.4.3
Comment 9 Agostino Sarubbo gentoo-dev 2015-06-05 08:59:57 UTC 
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-06-05 09:00:54 UTC 
x86 stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-05 15:00:22 UTC 
arm stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-07 06:21:39 UTC 
Stable for HPPA PPC64.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:38:19 UTC 
CVE-2015-3165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3165):
  Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16,
  9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows
  remote attackers to cause a denial of service (crash) by closing an SSL
  session at a time when the authentication timeout will expire during the
  session shutdown sequence.
Comment 14 Agostino Sarubbo gentoo-dev 2015-06-16 09:00:07 UTC 
ppc stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-06-16 09:00:30 UTC 
ia64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2015-06-17 08:58:55 UTC 
sparc stable
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-28 14:03:20 UTC 
alpha stable

Cleanup, please!

GLSA vote: No.
Comment 18 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-28 14:12:18 UTC 
GLSA Vote: No
Comment 19 Aaron W. Swenson gentoo-dev 2015-06-28 21:42:52 UTC 
  28 Jun 2015; Aaron W. Swenson <titanofold@gentoo.org>
  -postgresql-9.0.19.ebuild, -postgresql-9.0.19-r1.ebuild,
  -postgresql-9.0.20.ebuild, -postgresql-9.1.15.ebuild,
  -postgresql-9.1.15-r1.ebuild, -postgresql-9.1.16.ebuild,
  -postgresql-9.2.10.ebuild, -postgresql-9.2.10-r1.ebuild,
  -postgresql-9.2.11.ebuild, -postgresql-9.3.6.ebuild,
  -postgresql-9.3.6-r1.ebuild, -postgresql-9.3.7.ebuild,
  -postgresql-9.4.1.ebuild, -postgresql-9.4.1-r1.ebuild,
  -postgresql-9.4.2.ebuild:
  Cleanup insecure and buggy versions.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2015-06-29 21:13:48 UTC 
Arches and Maintainer(s), Thank you for your work.
Comment 21 Sean Amoss (RETIRED) gentoo-dev Security 2015-07-12 12:37:20 UTC 
It makes no sense to release a GLSA for bug 539018 and not include this, when this bug has the currently-stable versions in the tree. 

Added to existing GLSA draft.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2015-07-18 13:02:22 UTC 
This issue was resolved and addressed in
 GLSA 201507-20 at https://security.gentoo.org/glsa/201507-20
by GLSA coordinator Mikle Kolyada (Zlogene).