Arch Linux: ASA-201505-17 Medium: PostgreSQL Denial of Service & Info Leak

The package postgresql before version 9.4.2-1 is vulnerable to denial of service, information disclosure and possibly key exposure via a side-channel attack.

Arch Linux Security Advisory ASA-201505-17
=========================================
Severity: Medium
Date    : 2015-05-26
CVE-ID  : CVE-2015-3165 CVE-2015-3166 CVE-2015-3167
Package : postgresql
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package postgresql before version 9.4.2-1 is vulnerable to denial of
service, information disclosure and possibly key exposure via a
side-channel attack.

Resolution
=========
Upgrade to 9.4.2-1.

# pacman -Syu "postgresql>=9.4.2-1"

The problems have been fixed upstream in version 9.4.2.

Workaround
=========
None.

Description
==========
- CVE-2015-3165 (denial of service)

SSL clients disconnecting just before the authentication timeout expires
can cause the server to crash via a double-free issue leading to denial
of service.

- CVE-2015-3166 (information disclosure)

The replacement implementation of snprintf() failed to check for errors
reported by the underlying system library calls; the main case that
might be missed is out-of-memory situations. In the worst case this
might lead to information disclosure.

- CVE-2015-3167 (side-channel key exposure)

In contrib/pgcrypto, some cases of decryption with an incorrect key
could report other error message texts. Fix by using a one-size-fits-all
message.

Impact
=====
A remote attacker is able to perform denial of service, disclose
sensitive information or possibly expose a cryptographic key via a
side-channel attack.

References
=========
https://www.postgresql.org/about/news/postgresql-942-937-9211-9116-and-9020-released-1587/
https://access.redhat.com/security/cve/CVE-2015-3165
https://access.redhat.com/security/cve/CVE-2015-3166
https://access.redhat.com/security/cve/CVE-2015-3167