[v2.7] postgresql: multiple fixes (CVE-2015-3165, CVE-2015-3166, CVE-2015-3167)
New versions of PostgreSQL have been released recently (9.4.2, 9.3.7, 9.2.11, 9.1.16, and 9.0.20) which contain security fixes for vulnerabilities reported in PostgreSQL over the past few months. None of these issues are seen as particularly urgent. However, users should examine them in case their installations are vulnerable:
•CVE-2015-3165 Double “free” after authentication timeout.
•CVE-2015-3166 Unanticipated errors from the standard library.
•CVE-2015-3167 pgcrypto has multiple error messages for decryption with
an incorrect key.
Additionally, the deverlopers are recommending that all users who use Kerberos, GSSAPI, or SSPI authentication set include_realm to 1 in pg_hba.conf, which will become the default in future versions.
References:
http://www.postgresql.org/about/news/1587/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3165
https://bugzilla.redhat.com/show\_bug.cgi?id=1221537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3166
https://bugzilla.redhat.com/show\_bug.cgi?id=1221539
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3167
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-3167
(from redmine: issue id 4251, created on 2015-05-26, closed on 2015-05-28)
- Relations:
- parent #4250 (closed)
- Changesets:
- Revision bca3ff02 by Natanael Copa on 2015-05-27T09:57:27Z:
main/postgresql: security upgrade to 9.3.7 (CVE-2015-3165,CVE-2015-3166,CVE-2015-3167)
fixes #4251