Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550172 - <dev-db/postgresql-{9.0.21,9.1.17,9.2.12,9.3.8,9.4.3}: Multiple Vulnerabilities (CVE-2015-{3165,3166,3167})
Summary: <dev-db/postgresql-{9.0.21,9.1.17,9.2.12,9.3.8,9.4.3}: Multiple Vulnerabiliti...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-22 13:57 UTC by Aaron W. Swenson
Modified: 2015-07-18 13:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron W. Swenson gentoo-dev 2015-05-22 13:57:18 UTC
This update fixes three security vulnerabilities reported in
PostgreSQL over the past few months. Nether of these issues is seen as
particularly urgent. However, users should examine them in case their
installations are vulnerable:

    CVE-2015-3165 Double "free" after authentication timeout.
    CVE-2015-3166 Unanticipated errors from the standard library.
    CVE-2015-3167 pgcrypto has multiple error messages for decryption
                  with an incorrect key.

Additionally, we are recommending that all users who use Kerberos,
GSSAPI, or SSPI authentication set include_realm to 1 in pg_hba.conf,
which will become the default in future versions.

More information about these issues, as well as older patched issues,
is available on the PostgreSQL Security Page.

========================================================================

CVEs have not yet been updated. Full details will be forthcoming
shortly, I'm sure.
Comment 1 Aaron W. Swenson gentoo-dev 2015-05-22 14:07:43 UTC
*postgresql-9.4.2 (22 May 2015)
*postgresql-9.3.7 (22 May 2015)
*postgresql-9.2.11 (22 May 2015)
*postgresql-9.1.16 (22 May 2015)
*postgresql-9.0.20 (22 May 2015)

  22 May 2015; Aaron W. Swenson <titanofold@gentoo.org>
  +postgresql-9.0.20.ebuild, +postgresql-9.1.16.ebuild,
  +postgresql-9.2.11.ebuild, +postgresql-9.3.7.ebuild,
  +postgresql-9.4.2.ebuild, postgresql-9999.ebuild:
  Version bump. Fixes multiple vulnerabilities (CVE-2015-{3165,3166,3167}).
  Addresses bug 550172. Live ebuild now builds everything unconditionally as
  makefiles will change without notice.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-25 04:26:24 UTC
Stable for HPPA PPC64.
Comment 3 Agostino Sarubbo gentoo-dev 2015-05-25 16:07:06 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-05-25 16:07:27 UTC
x86 stable
Comment 5 Aaron W. Swenson gentoo-dev 2015-05-26 20:56:23 UTC
https://wiki.postgresql.org/wiki/May_2015_Fsync_Permissions_Bug

Another update is coming soon because of the above bug.

As mentioned previously, the security bugs fixed with this version are *not* considered urgent.

Should we put the packages back into testing?
Comment 6 Agostino Sarubbo gentoo-dev 2015-05-27 08:19:27 UTC
(In reply to Aaron W. Swenson from comment #5)
> Should we put the packages back into testing?

No. When packages area available, just readd who has already stabilized.
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-05-31 12:24:49 UTC
arm stable
Comment 8 Aaron W. Swenson gentoo-dev 2015-06-04 19:45:09 UTC
The latest version resolves an issue with file permissions that can prevent PostgreSQL from starting after a crash, so please use these new targets:

=dev-db/postgresql-9.0.21
=dev-db/postgresql-9.1.17
=dev-db/postgresql-9.2.12
=dev-db/postgresql-9.3.8
=dev-db/postgresql-9.4.3
Comment 9 Agostino Sarubbo gentoo-dev 2015-06-05 08:59:57 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-06-05 09:00:54 UTC
x86 stable
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-05 15:00:22 UTC
arm stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-07 06:21:39 UTC
Stable for HPPA PPC64.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:38:19 UTC
CVE-2015-3165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3165):
  Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16,
  9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows
  remote attackers to cause a denial of service (crash) by closing an SSL
  session at a time when the authentication timeout will expire during the
  session shutdown sequence.
Comment 14 Agostino Sarubbo gentoo-dev 2015-06-16 09:00:07 UTC
ppc stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-06-16 09:00:30 UTC
ia64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2015-06-17 08:58:55 UTC
sparc stable
Comment 17 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-28 14:03:20 UTC
alpha stable

Cleanup, please!

GLSA vote: No.
Comment 18 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-28 14:12:18 UTC
GLSA Vote: No
Comment 19 Aaron W. Swenson gentoo-dev 2015-06-28 21:42:52 UTC
  28 Jun 2015; Aaron W. Swenson <titanofold@gentoo.org>
  -postgresql-9.0.19.ebuild, -postgresql-9.0.19-r1.ebuild,
  -postgresql-9.0.20.ebuild, -postgresql-9.1.15.ebuild,
  -postgresql-9.1.15-r1.ebuild, -postgresql-9.1.16.ebuild,
  -postgresql-9.2.10.ebuild, -postgresql-9.2.10-r1.ebuild,
  -postgresql-9.2.11.ebuild, -postgresql-9.3.6.ebuild,
  -postgresql-9.3.6-r1.ebuild, -postgresql-9.3.7.ebuild,
  -postgresql-9.4.1.ebuild, -postgresql-9.4.1-r1.ebuild,
  -postgresql-9.4.2.ebuild:
  Cleanup insecure and buggy versions.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2015-06-29 21:13:48 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 21 Sean Amoss (RETIRED) gentoo-dev Security 2015-07-12 12:37:20 UTC
It makes no sense to release a GLSA for bug 539018 and not include this, when this bug has the currently-stable versions in the tree. 

Added to existing GLSA draft.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2015-07-18 13:02:22 UTC
This issue was resolved and addressed in
 GLSA 201507-20 at https://security.gentoo.org/glsa/201507-20
by GLSA coordinator Mikle Kolyada (Zlogene).