Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 562586 (CVE-2015-5288, CVE-2015-5289) - <dev-db/postgresql-{9.0.23,9.1.19,9.2.14,9.3.10,9.4.5} - multiple vulnerabilities (CVE-2015-{5288,5289})
Summary: <dev-db/postgresql-{9.0.23,9.1.19,9.2.14,9.3.10,9.4.5} - multiple vulnerabili...
Alias: CVE-2015-5288, CVE-2015-5289
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa cve]
Depends on:
Reported: 2015-10-08 17:14 UTC by Tomáš Mózes
Modified: 2017-01-12 16:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2015-10-08 17:14:57 UTC
2015-10-08 Security Update Release
Posted on Oct. 8, 2015

The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 9.4.5, 9.3.10, 9.2.14, 9.1.19 and 9.0.23. This release fixes two security issues, as well as several bugs found over the last four months. Users vulnerable to the security issues should update their installations immediately; other users should update at the next scheduled downtime. This is also the final update release for major version 9.0.
Security Fixes

Two security issues have been fixed in this release which affect users of specific PostgreSQL features:

CVE-2015-5289: json or jsonb input values constructed from arbitrary user input can crash the PostgreSQL server and cause a denial of service.

CVE-2015-5288: The crypt() function included with the optional pgCrypto extension could be exploited to read a few additional bytes of memory. No working exploit for this issue has been developed.

The PostgreSQL project thanks Josh Kupershmidt and Oskari Saarenmaa for reporting these issues.

This update will also disable SSL renegotiation by default; previously, it was enabled by default. SSL renegotiation will be removed entirely in PostgreSQL versions 9.5 and later.
Other Fixes and Improvements

In addition to the above, many other issues were patched in this release based on bugs reported by our users over the last few months. These fixes include:

    Prevent deeply nested regex, LIKE and SIMILAR matching from crashing the server
    Multiple other fixes with regular expression handling
    Ensure that ALTER TABLE sets all locks for CONSTRAINT modifications
    Fix subtransaction cleanup when a cursor fails, preventing a crash
    Prevent deadlock during WAL insertion when commit_delay is set
    Fix locking during updating of updatable views
    Prevent corruption of relation cache "init file"
    Improve performance of large SPI query results
    Improve LISTEN startup time
    Disable SSL renegotiation by default
    Lower minimum for *_freeze_max_age parameters
    Limit the maximum for wal_buffers to 2GB
    Guard against potential stack overflows in several areas
    Fix handling of DOW and DOY in datetime input
    Allow regular expression queries to be canceled sooner
    Fix assorted planner bugs
    Fix several shutdown issues in the postmaster
    Make anti-wraparound autovacuuming more robust
    Fix minor issues with GIN and SP-GiST indexes.
    Fix several issues with PL/Python, PL/Perl and PL/Tcl
    Improve pg_stat_statements' garbage collection
    Improve collation handling in pgsql_fdw
    Improve libpq's handling of out-of-memory conditions
    Prevent psql crash when there is no current connection
    Multiple fixes to pg_dump, including file and object permissions
    Improve handling of privileges when dumping from old PostgreSQL versions
    Fix issues with support of Alpha, PPC, AIX and Solaris platforms
    Fix startup issue on Windows with Chinese locale
    Fix Windows install.bat script to handle spaces in filenames
    Make the numeric PostgreSQL version number available to extensions
Comment 1 Aaron W. Swenson gentoo-dev 2015-10-08 20:37:22 UTC
New versions in tree.

Targets are:

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-10-09 05:29:28 UTC
Stable for PPC64.
Comment 3 Agostino Sarubbo gentoo-dev 2015-10-09 07:13:07 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-10-09 07:13:37 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-10-10 03:13:28 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2015-10-10 16:18:12 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-10-11 09:38:28 UTC
ia64 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-10-11 12:20:20 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-10-12 08:15:24 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-10-12 10:21:42 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-10-13 01:50:06 UTC
Arches, Thank you for your work.
GLSA Vote: Yes

Maintainer(s), please drop the vulnerable version(s).
Comment 12 Aaron W. Swenson gentoo-dev 2015-10-13 14:59:45 UTC
(In reply to Yury German from comment #11)
> Arches, Thank you for your work.
> GLSA Vote: Yes
> Maintainer(s), please drop the vulnerable version(s).

Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-11-02 20:43:05 UTC
GLSA vote: yes
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-01-12 16:10:24 UTC
This issue was resolved and addressed in
 GLSA 201701-33 at
by GLSA coordinator Aaron Bauman (b-man).