[ubuntu/trusty-updates] postgresql-9.1 9.1.16-0ubuntu0.14.04 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Mon May 25 11:58:38 UTC 2015

postgresql-9.1 (9.1.16-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream security/bug fix release (LP: #1457093)
    - Improve detection of system-call failures
      Our replacement implementation of snprintf() failed to check for errors
      reported by the underlying system library calls; the main case that
      might be missed is out-of-memory situations. In the worst case this
      might lead to information exposure, due to our code assuming that a
      buffer had been overwritten when it hadn't been. Also, there were a few
      places in which security-relevant calls of other system library
      functions did not check for failure.
      It remains possible that some calls of the *printf() family of functions
      are vulnerable to information disclosure if an out-of-memory error
      occurs at just the wrong time.  We judge the risk to not be large, but
      will continue analysis in this area. (CVE-2015-3166)
   - Note: The other vulnerabilities fixed in 9.1.16 don't affect this version
     as we build the PL/Perl package only.

Date: 2015-05-22 14:38:23.476369+00:00
Changed-By: Martin Pitt <martin.pitt at ubuntu.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Trusty-changes mailing list