Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 591052 - <dev-db/postgresql-{9.1.23,9.2.18,9.3.14,9.4.9,9.5.4} - multiple vulnerabilities (CVE-2016-{5423,5424})
Summary: <dev-db/postgresql-{9.1.23,9.2.18,9.3.14,9.4.9,9.5.4} - multiple vulnerabilit...
Status: RESOLVED DUPLICATE of bug 602130
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Stabilization (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on: CVE-2016-5423, CVE-2016-5424
Blocks:
  Show dependency tree
 
Reported: 2016-08-11 18:07 UTC by Aaron W. Swenson
Modified: 2017-01-12 10:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron W. Swenson gentoo-dev 2016-08-11 18:07:41 UTC
(Below from: https://www.postgresql.org/about/news/1688/)

The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 9.5.4, 9.4.9, 9.3.14, 9.2.18 and 9.1.23. This release fixes two security issues. It also patches a number of other bugs reported over the last three months. Users who rely on security isolation between database users should update as soon as possible. Other users should plan to update at the next convenient downtime.
Security Issues

Two security holes have been closed by this release:

    CVE-2016-5423: certain nested CASE expressions can cause the server to crash.
    CVE-2016-5424: database and role names with embedded special characters can allow code injection during administrative operations like pg_dumpall.

The fix for the second issue also adds an option, -reuse-previous, to psql's \connect command. pg_dumpall will also refuse to handle database and role names containing line breaks after the update.

=======================================================================

Stabilization targets:
=dev-db/postgresql-9.1.23 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.2.18 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.3.14 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.9 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.4 ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86

Alpha Arch is excluded from 9.5.4 due to previous discussion revolving around upstream's official support being dropped and seriously degraded performance on that architecture.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2016-08-14 09:24:08 UTC
Stable for HPPA PPC64.
Comment 2 Agostino Sarubbo gentoo-dev 2016-08-18 14:54:48 UTC
amd64 stable
Comment 3 Markus Meier gentoo-dev 2016-08-18 19:38:24 UTC
arm stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2016-09-02 20:08:20 UTC
Stable on alpha.
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-13 11:36:49 UTC
x86 stabilization was done in bug 602130
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-28 08:50:10 UTC
Dear Maintainer (or who is mainly involved in this stable request),

This is an auto-generated message that will move the current component to the new component Stabilization.
To ensure that the stabilization will proceed correctly, please fill the fields "Atoms to stabilize" and "Runtime testing required" as described here:
https://archives.gentoo.org/gentoo-dev/message/4b2ef0e9aa7588224b8ae799c5fe31fa
Comment 7 Thomas Deutschmann gentoo-dev 2017-01-01 18:33:44 UTC
We have two bugs handling the same vulnerabilities. Please continue in bug 602130.
Comment 8 Aaron Bauman gentoo-dev Security 2017-01-12 10:36:21 UTC

*** This bug has been marked as a duplicate of bug 602130 ***