Summary: | <dev-db/postgresql-{9.0.21,9.1.17,9.2.12,9.3.8,9.4.3}: Multiple Vulnerabilities (CVE-2015-{3165,3166,3167}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aaron W. Swenson <titanofold> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bruce, pgsql-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Aaron W. Swenson
2015-05-22 13:57:18 UTC
*postgresql-9.4.2 (22 May 2015) *postgresql-9.3.7 (22 May 2015) *postgresql-9.2.11 (22 May 2015) *postgresql-9.1.16 (22 May 2015) *postgresql-9.0.20 (22 May 2015) 22 May 2015; Aaron W. Swenson <titanofold@gentoo.org> +postgresql-9.0.20.ebuild, +postgresql-9.1.16.ebuild, +postgresql-9.2.11.ebuild, +postgresql-9.3.7.ebuild, +postgresql-9.4.2.ebuild, postgresql-9999.ebuild: Version bump. Fixes multiple vulnerabilities (CVE-2015-{3165,3166,3167}). Addresses bug 550172. Live ebuild now builds everything unconditionally as makefiles will change without notice. Stable for HPPA PPC64. amd64 stable x86 stable https://wiki.postgresql.org/wiki/May_2015_Fsync_Permissions_Bug Another update is coming soon because of the above bug. As mentioned previously, the security bugs fixed with this version are *not* considered urgent. Should we put the packages back into testing? (In reply to Aaron W. Swenson from comment #5) > Should we put the packages back into testing? No. When packages area available, just readd who has already stabilized. arm stable The latest version resolves an issue with file permissions that can prevent PostgreSQL from starting after a crash, so please use these new targets: =dev-db/postgresql-9.0.21 =dev-db/postgresql-9.1.17 =dev-db/postgresql-9.2.12 =dev-db/postgresql-9.3.8 =dev-db/postgresql-9.4.3 amd64 stable x86 stable arm stable Stable for HPPA PPC64. CVE-2015-3165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3165): Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence. ppc stable ia64 stable sparc stable alpha stable Cleanup, please! GLSA vote: No. GLSA Vote: No 28 Jun 2015; Aaron W. Swenson <titanofold@gentoo.org> -postgresql-9.0.19.ebuild, -postgresql-9.0.19-r1.ebuild, -postgresql-9.0.20.ebuild, -postgresql-9.1.15.ebuild, -postgresql-9.1.15-r1.ebuild, -postgresql-9.1.16.ebuild, -postgresql-9.2.10.ebuild, -postgresql-9.2.10-r1.ebuild, -postgresql-9.2.11.ebuild, -postgresql-9.3.6.ebuild, -postgresql-9.3.6-r1.ebuild, -postgresql-9.3.7.ebuild, -postgresql-9.4.1.ebuild, -postgresql-9.4.1-r1.ebuild, -postgresql-9.4.2.ebuild: Cleanup insecure and buggy versions. Arches and Maintainer(s), Thank you for your work. It makes no sense to release a GLSA for bug 539018 and not include this, when this bug has the currently-stable versions in the tree. Added to existing GLSA draft. This issue was resolved and addressed in GLSA 201507-20 at https://security.gentoo.org/glsa/201507-20 by GLSA coordinator Mikle Kolyada (Zlogene). |