Debian: DSA-3269-1 Critical: PostgreSQL-9.1 Remote Crash Risk
debian
May 22, 2015
Several vulnerabilities have been found in PostgreSQL-9.1, a SQL database system
Summary
CVE-2015-3165 (Remote crash)
SSL clients disconnecting just before the authentication timeout
expires can cause the server to crash.
CVE-2015-3166 (Information exposure)
The replacement implementation of snprintf() failed to check for
errors reported by the underlying system library calls; the main
case that might be missed is out-of-memory situations. In the worst
case this might lead to information exposure.
CVE-2015-3167 (Possible side-channel key exposure)
In contrib/pgcrypto, some cases of decryption with an incorrect key
could report other error message texts. Fix by using a
one-size-fits-all message.
For the oldstable distribution (wheezy), these problems have been fixed
in version 9.1.16-0+deb7u1.
For the stable distribution (jessie), these problems have been fixed in
version 9.1.16-0+deb8u1. (Jessie contains a reduced postgresql-9.1
package; only CVE-2015-3166 is fixed in the produced binary package
postgresql-plperl-9.1. We recommend to upgrade to postgr...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: postgresql-9.1
CVE ID: CVE-2015-3165 CVE-2015-3166 CVE-2015-3167
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!