Debian Security Advisory
DLA-227-1 postgresql-8.4 -- LTS security update
- Date Reported:
- 29 May 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2015-3165, CVE-2015-3166, CVE-2015-3167.
- More information:
Several vulnerabilities were discovered in PostgreSQL, a relational database server system. The 8.4 branch is EOLed upstream, but still present in Debian squeeze. This new LTS minor version contains the fixes that were applied upstream to the 9.0.20 version, backported to 8.4.22 which was the last version officially released by the PostgreSQL developers. This LTS effort for squeeze-lts is a community project sponsored by credativ GmbH.
Remote crash SSL clients disconnecting just before the authentication timeout expires can cause the server to crash.
Information exposure The replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure.
Possible side-channel key exposure In contrib/pgcrypto, some cases of decryption with an incorrect key could report other error message texts. Fix by using a one-size-fits-all message.
Note that the next round of minor releases for PostgreSQL have already been scheduled for early June 2015. There will be a corresponding 8.4.22lts3 update at the same time.