[SECURITY] [DLA-227-1] postgresql-8.4 update

2015-05-29T10:36:27
ID DEBIAN:DLA-227-1:010C2
Type debian
Reporter Debian
Modified 2015-05-29T10:36:27

Description

Package : postgresql-8.4 Version : 8.4.22lts2-0+deb6u2 CVE ID : CVE-2015-3165 CVE-2015-3166 CVE-2015-3167

Several vulnerabilities were discovered in PostgreSQL, a relational database server system. The 8.4 branch is EOLed upstream, but still present in Debian squeeze. This new LTS minor version contains the fixes that were applied upstream to the 9.0.20 version, backported to 8.4.22 which was the last version officially released by the PostgreSQL developers. This LTS effort for squeeze-lts is a community project sponsored by credativ GmbH.

CVE-2015-3165: Remote crash SSL clients disconnecting just before the authentication timeout expires can cause the server to crash.

CVE-2015-3166: Information exposure The replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure.

CVE-2015-3167: Possible side-channel key exposure In contrib/pgcrypto, some cases of decryption with an incorrect key could report other error message texts. Fix by using a one-size-fits-all message.

Note that the next round of minor releases for PostgreSQL have already been scheduled for early June 2015. There will be a corresponding 8.4.22lts3 update at the same time.