USN-2772-1: PostgreSQL vulnerabilities

Releases

• Ubuntu 15.04
• Ubuntu 14.04 ESM
• Ubuntu 12.04

Packages

• postgresql-9.1 - Object-relational SQL database
• postgresql-9.3 - Object-relational SQL database
• postgresql-9.4 - Object-relational SQL database

Details

Josh Kupershmidt discovered the pgCrypto extension could expose
several bytes of server memory if the crypt() function was provided a
too-short salt. An attacker could use this flaw to read private data.
(CVE-2015-5288)

Oskari Saarenmaa discovered that the json and jsonb handlers could exhaust
available stack space. An attacker could use this flaw to perform a denial
of service attack. This issue only affected Ubuntu 14.04 LTS and Ubuntu
15.04. (CVE-2015-5289)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 15.04

• postgresql-9.4 - 9.4.5-0ubuntu0.15.04

Ubuntu 14.04

• postgresql-9.3 - 9.3.10-0ubuntu0.14.04

Ubuntu 12.04

• postgresql-9.1 - 9.1.19-0ubuntu0.12.04

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References

• CVE-2015-5288
• CVE-2015-5289