[USN-2621-1] PostgreSQL vulnerabilities

Marc Deslauriers marc.deslauriers at canonical.com
Mon May 25 11:41:23 UTC 2015

Ubuntu Security Notice USN-2621-1
May 25, 2015

postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 15.04
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS


Several security issues were fixed in PostgreSQL.

Software Description:
- postgresql-9.4: Object-relational SQL database
- postgresql-9.3: Object-relational SQL database
- postgresql-9.1: Object-relational SQL database


Benkocs Norbert Attila discovered that PostgreSQL incorrectly handled
authentication timeouts. A remote attacker could use this flaw to cause the
unauthenticated session to crash, possibly leading to a security issue.

Noah Misch discovered that PostgreSQL incorrectly handled certain standard
library function return values, possibly leading to security issues.

Noah Misch discovered that the pgcrypto function could return different
error messages when decrypting using an incorrect key, possibly leading to
a security issue. (CVE-2015-3167)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.04:
  postgresql-9.4                  9.4.2-0ubuntu0.15.04

Ubuntu 14.10:
  postgresql-9.4                  9.4.2-0ubuntu0.14.10

Ubuntu 14.04 LTS:
  postgresql-9.3                  9.3.7-0ubuntu0.14.04

Ubuntu 12.04 LTS:
  postgresql-9.1                  9.1.16-0ubuntu0.12.04

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary

  CVE-2015-3165, CVE-2015-3166, CVE-2015-3167

Package Information:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20150525/ec010393/attachment.sig>

More information about the ubuntu-security-announce mailing list