Re: Salvatore Bonaccorso 2015-05-21 <20150521074057.GA13254@eldamar.local> > > 9.4/unstable update in Friday. I can push the other packages earlier > > for release on Friday if you permit. > > Thanks for preparing those. Yes please go ahead, but see one small > comment below. > > > > postgresql-9.4: > > unstable+testing: 9.4.2-1 > > jessie: 9.4.2-0+deb8u1 > > > > postgresql-9.1: > > unstable+testing: plperl-only compatibility package: rather than > > providing a fix I should use the opportunity to get the packages > > removed there > > jessie: plperl-only compatibility package, only affected by CVE-2015-3166 > > 9.1.16-0+deb8u1 > > wheezy: 9.1.16-0+deb7u1 > > Since those will have the same orig tarball and we are supporting both > wheezy and jessie: > > https://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecFull#Stable_and_oldstable_sharing_the_same_upstream_tarball
Thanks for the pointer! Here's the 9.1 text: ------------------------------------------------------------------------- Debian Security Advisory DSA-3269-1 secur...@debian.org http://www.debian.org/security/ Christoph Berg May 22, 2015 http://www.debian.org/security/faq ------------------------------------------------------------------------- Package : postgresql-9.1 CVE ID : CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 Several vulnerabilities have been found in PostgreSQL-9.1, a SQL database system. CVE-2015-3165: Remote crash SSL clients disconnecting just before the authentication timeout expires can cause the server to crash. CVE-2015-3166: Information exposure The replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure. CVE-2015-3167: Possible side-channel key exposure In contrib/pgcrypto, some cases of decryption with an incorrect key could report other error message texts. Fix by using a one-size-fits-all message. For the oldstable distribution (wheezy), these problems have been fixed in version 9.1.16-0+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 9.1.16-0+deb8u1. (Jessie contains a reduced postgresql-9.1 package; only CVE-2015-3166 is fixed here. We recommend to upgrade to postgresql-9.4 to get the full set of fixes. See the Jessie release notes for details.) The testing and unstable distribution (strech, sid) do not contain the postgresql-9.1 package. We recommend that you upgrade your postgresql-9.1 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org Here's the 9.4 text: ------------------------------------------------------------------------- Debian Security Advisory DSA-3270-1 secur...@debian.org http://www.debian.org/security/ Christoph Berg May 22, 2015 http://www.debian.org/security/faq ------------------------------------------------------------------------- Package : postgresql-9.4 CVE ID : CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 Several vulnerabilities have been found in PostgreSQL-9.4, a SQL database system. CVE-2015-3165: Remote crash SSL clients disconnecting just before the authentication timeout expires can cause the server to crash. CVE-2015-3166: Information exposure The replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure. CVE-2015-3167: Possible side-channel key exposure In contrib/pgcrypto, some cases of decryption with an incorrect key could report other error message texts. Fix by using a one-size-fits-all message. The oldstable distribution (wheezy) does not contain the postgresql-9.4 package. For the stable distribution (jessie), these problems have been fixed in version 9.4.2-0+deb8u1. For the testing distribution (stretch), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 9.4.2-1. We recommend that you upgrade your postgresql-9.4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org Christoph -- c...@df7cb.de | http://www.df7cb.de/
signature.asc
Description: Digital signature
_______________________________________________ Pkg-postgresql-public mailing list Pkg-postgresql-public@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-postgresql-public