591052 – <dev-db/postgresql-{9.1.23,9.2.18,9.3.14,9.4.9,9.5.4} - multiple vulnerabilities (CVE-2016-{5423,5424})

Bug 591052 - <dev-db/postgresql-{9.1.23,9.2.18,9.3.14,9.4.9,9.5.4} - multiple vulnerabilities (CVE-2016-{5423,5424})

Summary: <dev-db/postgresql-{9.1.23,9.2.18,9.3.14,9.4.9,9.5.4} - multiple vulnerabilit...

Status:	RESOLVED DUPLICATE of bug 602130

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Stabilization (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:	CVE-2016-5423, CVE-2016-5424
Blocks:
	Show dependency tree

Reported:	2016-08-11 18:07 UTC by Aaron W. Swenson
Modified:	2017-01-12 10:36 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aaron W. Swenson gentoo-dev

2016-08-11 18:07:41 UTC

(Below from: https://www.postgresql.org/about/news/1688/)

The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 9.5.4, 9.4.9, 9.3.14, 9.2.18 and 9.1.23. This release fixes two security issues. It also patches a number of other bugs reported over the last three months. Users who rely on security isolation between database users should update as soon as possible. Other users should plan to update at the next convenient downtime.
Security Issues

Two security holes have been closed by this release:

    CVE-2016-5423: certain nested CASE expressions can cause the server to crash.
    CVE-2016-5424: database and role names with embedded special characters can allow code injection during administrative operations like pg_dumpall.

The fix for the second issue also adds an option, -reuse-previous, to psql's \connect command. pg_dumpall will also refuse to handle database and role names containing line breaks after the update.

=======================================================================

Stabilization targets:
=dev-db/postgresql-9.1.23 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.2.18 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.3.14 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.9 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.4 ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86

Alpha Arch is excluded from 9.5.4 due to previous discussion revolving around upstream's official support being dropped and seriously degraded performance on that architecture.

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2016-08-14 09:24:08 UTC

Stable for HPPA PPC64.

Comment 2 Agostino Sarubbo gentoo-dev

2016-08-18 14:54:48 UTC

amd64 stable

Comment 3 Markus Meier gentoo-dev

2016-08-18 19:38:24 UTC

arm stable

Comment 4 Tobias Klausmann (RETIRED) gentoo-dev

2016-09-02 20:08:20 UTC

Stable on alpha.

Comment 5 Agostino Sarubbo gentoo-dev

2016-12-13 11:36:49 UTC

x86 stabilization was done in bug 602130

Comment 6 Agostino Sarubbo gentoo-dev

2016-12-28 08:50:10 UTC

Dear Maintainer (or who is mainly involved in this stable request),

This is an auto-generated message that will move the current component to the new component Stabilization.
To ensure that the stabilization will proceed correctly, please fill the fields "Atoms to stabilize" and "Runtime testing required" as described here:
https://archives.gentoo.org/gentoo-dev/message/4b2ef0e9aa7588224b8ae799c5fe31fa

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-01 18:33:44 UTC

We have two bugs handling the same vulnerabilities. Please continue in bug 602130.

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2017-01-12 10:36:21 UTC


*** This bug has been marked as a duplicate of bug 602130 ***