postgresql: Security issues (CVE-2015-5288, CVE-2015-5289)
Two security issues have been fixed in this release which affect users of specific PostgreSQL features:
Unchecked JSON input can crash the server (CVE-2015-5289)
json or jsonb input values constructed from arbitrary user input can
crash the PostgreSQL server and cause a denial of service.
Memory leak in crypt() function (CVE-2015-5288)
The crypt() function included with the optional pgCrypto extension could
be exploited to read
a few additional bytes of memory. No working exploit for this issue has
been developed.
Affected versions:
9.4, 9.3, 9.2, 9.1, 9.0
Fixed in:
9.4.5, 9.3.10, 9.2.14, 9.1.19, 9.0.23
References:
http://www.postgresql.org/support/security/
http://www.postgresql.org/about/news/1615/
(from redmine: issue id 4779, created on 2015-10-20, closed on 2015-12-02)
- Relations:
- child #4780 (closed)
- child #4781 (closed)
- child #4782 (closed)
- child #4783 (closed)
- child #4784 (closed)