Debian Security Advisory

DLA-491-1 postgresql-9.1 -- LTS security update

Date Reported:
27 May 2016
Affected Packages:
Security database references:
No other external database security references currently available.
More information:

The PostgreSQL project released a new version of the PostgreSQL 9.1 branch:

  • Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)

This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.

  • Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)
  • Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() (Tom Lane)

These could advance off the end of the input string, causing subsequent format codes to read garbage.

  • Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)
  • Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)

This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.

  • Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)

In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.

  • Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function (Thomas Munro)
  • Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.

For Debian 7 Wheezy, these problems have been fixed in version 9.1.22-0+deb7u1.

We recommend that you upgrade your postgresql-9.1 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: