Summary: | <dev-db/postgresql-{9.1.23,9.2.18,9.3.14,9.4.9,9.5.4}: multiple vulnerabilities (CVE-2016-{5423,5424}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | hydrapolic, pgsql-bugs, titanofold |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.postgresql.org/about/news/1688/ | ||
Whiteboard: | B1 [glsa cve cleanup] | ||
Package list: |
=dev-db/postgresql-9.1.24
=dev-db/postgresql-9.2.19
=dev-db/postgresql-9.3.15
=dev-db/postgresql-9.4.10
=dev-db/postgresql-9.5.5
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 591052 |
Description
Thomas Deutschmann (RETIRED)
2016-12-09 09:59:36 UTC
@ Arches, please test and mark stable: =dev-db/postgresql-9.1.24 =dev-db/postgresql-9.2.19 =dev-db/postgresql-9.3.15 =dev-db/postgresql-9.4.10 =dev-db/postgresql-9.5.5 Stable on alpha. amd64 stable x86 stable arm stable sparc stable ia64 stable ppc stable ppc64 stable @ HPPA AT, you are the last arch remaining. Please test and mark stable: =dev-db/postgresql-9.1.24 hppa =dev-db/postgresql-9.2.19 hppa =dev-db/postgresql-9.3.15 hppa =dev-db/postgresql-9.4.10 hppa =dev-db/postgresql-9.5.5 hppa Stable for HPPA. CVE-2016-5424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5424): PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation. CVE-2016-5423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5423): PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types. @alpha, ==dev-db/postgresql-9.5.5 was not stabilized. I see there was a lot of movement on the keywords etc: please mark stable: =dev-db/postgresql-9.5.5 *** Bug 591052 has been marked as a duplicate of this bug. *** (In reply to Aaron Bauman from comment #13) > @alpha, ==dev-db/postgresql-9.5.5 was not stabilized. I see there was a lot > of movement on the keywords etc: > > please mark stable: > > =dev-db/postgresql-9.5.5 From 9.5 forward, Alpha will never be stabilized as upstream has dropped official support and, as a result, there is a severe drop in performance (around a 40% drop from 9.4 to 9.5). If Alpha is desired to be a supported platform, someone with that hardware should approach upstream. (In reply to Aaron W. Swenson from comment #15) > (In reply to Aaron Bauman from comment #13) > > @alpha, ==dev-db/postgresql-9.5.5 was not stabilized. I see there was a lot > > of movement on the keywords etc: > > > > please mark stable: > > > > =dev-db/postgresql-9.5.5 > > From 9.5 forward, Alpha will never be stabilized as upstream has dropped > official support and, as a result, there is a severe drop in performance > (around a 40% drop from 9.4 to 9.5). > > If Alpha is desired to be a supported platform, someone with that hardware > should approach upstream. Thanks for the information. Please proceed with cleanup of the vulnerable versions. (In reply to Aaron Bauman from comment #16) > Thanks for the information. Please proceed with cleanup of the vulnerable > versions. Done. This issue was resolved and addressed in GLSA 201701-33 at https://security.gentoo.org/glsa/201701-33 by GLSA coordinator Aaron Bauman (b-man). |