{ "schema_version": "1.7.0", "id": "MGASA-2015-0420", "published": "2015-11-02T20:21:29Z", "modified": "2015-11-02T20:12:04Z", "summary": "Updated postgresql packages fix security vulnerabilities", "details": "Josh Kupershmidt discovered the pgCrypto extension could expose\nseveral bytes of server memory if the crypt() function was provided a\ntoo-short salt. An attacker could use this flaw to read private data.\n(CVE-2015-5288)\n\nOskari Saarenmaa discovered that the json and jsonb handlers could exhaust\navailable stack space. An attacker could use this flaw to perform a denial\nof service attack. (CVE-2015-5289)\n\nThe postgresql9.3 and postgresql9.4 packages have been updated to versions \n9.3.10 and 9.4.5, respectively, to fix these issues.\nSee the upstream release notes for more details.\n", "upstream": [ "CVE-2015-5288", "CVE-2015-5289" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2015-0420.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=16924" }, { "type": "WEB", "url": "http://www.postgresql.org/about/news/1615/" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/usn-2772-1/" } ], "affected": [ { "package": { "ecosystem": "Mageia:5", "name": "postgresql9.3", "purl": "pkg:rpm/mageia/postgresql9.3?arch=source&distro=mageia-5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.3.10-1.mga5" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:5", "name": "postgresql9.4", "purl": "pkg:rpm/mageia/postgresql9.4?arch=source&distro=mageia-5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.4.5-1.mga5" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }