{ "schema_version": "1.7.0", "id": "MGASA-2015-0250", "published": "2015-07-01T12:40:22Z", "modified": "2015-07-09T07:56:53Z", "summary": "Updated postgresql package fixes security vulnerability", "details": "Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before\n9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2\nallows remote attackers to cause a denial of service (crash) by closing an\nSSL session at a time when the authentication timeout will expire during\nthe session shutdown sequence (CVE-2015-3165).\n\nThe replacement implementation of snprintf() failed to check for errors\nreported by the underlying system library calls; the main case that might\nbe missed is out-of-memory situations. In the worst case this might lead\nto information exposure (CVE-2015-3166).\n\nIn contrib/pgcrypto, some cases of decryption with an incorrect key could\nreport other error message texts, possibly leading to a side-channel key\nexposure (CVE-2015-3167).\n\nThe postgresql9.0, postgresql9.1, postgresql9.2, and postgresql9.3\npackages have been updated to versions 9.0.22, 9.1.18, 9.2.13, and 9.3.9,\nrespectively, fixing these issues, as well as some data corruption issues.\n See the upstream release notes for more details.\n", "upstream": [ "CVE-2015-3165", "CVE-2015-3166", "CVE-2015-3167" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2015-0250.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=16027" }, { "type": "WEB", "url": "http://www.postgresql.org/about/news/1587/" }, { "type": "WEB", "url": "http://www.postgresql.org/about/news/1590/" }, { "type": "WEB", "url": "http://www.postgresql.org/about/news/1592/" }, { "type": "WEB", "url": "https://www.debian.org/security/2015/dsa-3269" } ], "affected": [ { "package": { "ecosystem": "Mageia:4", "name": "postgresql9.0", "purl": "pkg:rpm/mageia/postgresql9.0?arch=source&distro=mageia-4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.0.22-1.mga4" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:4", "name": "postgresql9.1", "purl": "pkg:rpm/mageia/postgresql9.1?arch=source&distro=mageia-4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.1.18-1.mga4" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:4", "name": "postgresql9.2", "purl": "pkg:rpm/mageia/postgresql9.2?arch=source&distro=mageia-4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.2.13-1.mga4" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:4", "name": "postgresql9.3", "purl": "pkg:rpm/mageia/postgresql9.3?arch=source&distro=mageia-4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.3.9-1.mga4" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }