[USN-2772-1] PostgreSQL vulnerabilities

Seth Arnold seth.arnold at canonical.com
Fri Oct 16 06:15:55 UTC 2015

Ubuntu Security Notice USN-2772-1
October 16, 2015

postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS


PostgreSQL could be made to crash or expose private information if it
handled specially crafted data.

Software Description:
- postgresql-9.4: Object-relational SQL database
- postgresql-9.3: Object-relational SQL database
- postgresql-9.1: Object-relational SQL database


Josh Kupershmidt discovered the pgCrypto extension could expose
several bytes of server memory if the crypt() function was provided a
too-short salt. An attacker could use this flaw to read private data.

Oskari Saarenmaa discovered that the json and jsonb handlers could exhaust
available stack space. An attacker could use this flaw to perform a denial
of service attack. This issue only affected Ubuntu 14.04 LTS and Ubuntu
15.04. (CVE-2015-5289)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.04:
  postgresql-9.4                  9.4.5-0ubuntu0.15.04

Ubuntu 14.04 LTS:
  postgresql-9.3                  9.3.10-0ubuntu0.14.04

Ubuntu 12.04 LTS:
  postgresql-9.1                  9.1.19-0ubuntu0.12.04

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

  CVE-2015-5288, CVE-2015-5289

Package Information:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20151015/ea3d9104/attachment.sig>

More information about the ubuntu-security-announce mailing list