USN-2499-1: PostgreSQL vulnerabilities

Ubuntu Security Notice USN-2499-1


11th February, 2015


postgresql-8.4, postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilities


A security issue affects these releases of Ubuntu and its derivatives:



  • Ubuntu 14.10

  • Ubuntu 14.04 LTS

  • Ubuntu 12.04 LTS

  • Ubuntu 10.04 LTS


Summary


Several security issues were fixed in PostgreSQL.


Software description



  • postgresql-8.4 - Object-relational SQL database

  • postgresql-9.1 - Object-relational SQL database

  • postgresql-9.3 - Object-relational SQL database

  • postgresql-9.4 - Object-relational SQL database


Details


Stephen Frost discovered that PostgreSQL incorrectly displayed certain

values in error messages. An authenticated user could gain access to seeing

certain values, contrary to expected permissions. (CVE-2014-8161)


Andres Freund, Peter Geoghegan and Noah Misch discovered that PostgreSQL

incorrectly handled buffers in to_char functions. An authenticated attacker

could possibly use this issue to cause PostgreSQL to crash, resulting in a

denial of service, or possibly execute arbitrary code. (CVE-2015-0241)


It was discovered that PostgreSQL incorrectly handled memory in the

pgcrypto extension. An authenticated attacker could possibly use this issue

to cause PostgreSQL to crash, resulting in a denial of service, or possibly

execute arbitrary code. (CVE-2015-0243)


Emil Lenngren discovered that PostgreSQL incorrectly handled extended

protocol message reading. An authenticated attacker could possibly use this

issue to cause PostgreSQL to crash, resulting in a denial of service, or

possibly inject query messages. (CVE-2015-0244)


Update instructions


The problem can be corrected by updating your system to the following package version:



Ubuntu 14.10:

postgresql-9.4 9.4.1-0ubuntu0.14.10

Ubuntu 14.04 LTS:

postgresql-9.3 9.3.6-0ubuntu0.14.04

Ubuntu 12.04 LTS:

postgresql-9.1 9.1.15-0ubuntu0.12.04

Ubuntu 10.04 LTS:

postgresql-8.4 8.4.22-0ubuntu0.10.04.1


To update your system, please follow these instructions: http://bit.ly/1aJDvTw.


This update uses a new upstream release, which includes additional bug

fixes. In general, a standard system update will make all the necessary

changes.


References


CVE-2014-8161, CVE-2015-0241, CVE-2015-0243, CVE-2015-0244






from Ubuntu Security Notices http://bit.ly/199OVoX