Ubuntu
postgresql-9.1 package

New upstream microreleases 9.1.15, 9.3.6, 9.4.1

Bug #1418928 reported by Martin Pitt on 2015-02-06
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-8.4 (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Fix Released
Undecided
Marc Deslauriers
postgresql-9.1 (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Fix Released
Undecided
Marc Deslauriers
Trusty
Fix Released
Undecided
Unassigned
postgresql-9.3 (Ubuntu)
Invalid
Undecided
Unassigned
Trusty
Fix Released
Undecided
Marc Deslauriers
postgresql-9.4 (Ubuntu)
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Marc Deslauriers
Vivid
Fix Released
Undecided
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

PostgreSQL has released new versions yesterday: http://www.postgresql.org/about/news/1569/

These fix a bunch of security issues, as well as the usual set of bug fixes.

Martin Pitt (pitti) wrote :

https://launchpad.net/ubuntu/+source/postgresql-9.4/9.4.1-1 is in vivid-proposed, but currently stuck on some reverse test dependency failures.

no longer affects: postgresql-8.4 (Ubuntu Precise)
no longer affects: postgresql-8.4 (Ubuntu Trusty)
no longer affects: postgresql-8.4 (Ubuntu Utopic)
no longer affects: postgresql-9.1 (Ubuntu Lucid)
no longer affects: postgresql-9.4 (Ubuntu Trusty)
no longer affects: postgresql-9.4 (Ubuntu Precise)
no longer affects: postgresql-9.4 (Ubuntu Lucid)
no longer affects: postgresql-8.4 (Ubuntu Vivid)
Changed in postgresql-8.4 (Ubuntu):
status: New → Invalid
no longer affects: postgresql-9.1 (Ubuntu Vivid)
no longer affects: postgresql-9.1 (Ubuntu Utopic)
Changed in postgresql-9.1 (Ubuntu):
status: New → Invalid
no longer affects: postgresql-9.3 (Ubuntu Lucid)
no longer affects: postgresql-9.3 (Ubuntu Vivid)
no longer affects: postgresql-9.3 (Ubuntu Precise)
no longer affects: postgresql-9.3 (Ubuntu Utopic)
Changed in postgresql-9.3 (Ubuntu):
status: New → Invalid
Changed in postgresql-9.4 (Ubuntu Vivid):
status: New → Fix Committed
Martin Pitt (pitti) on 2015-02-06
Changed in postgresql-9.4 (Ubuntu Utopic):
assignee: nobody → Martin Pitt (pitti)
status: New → In Progress
Martin Pitt (pitti) on 2015-02-06
Changed in postgresql-9.3 (Ubuntu Trusty):
status: New → In Progress
Martin Pitt (pitti) on 2015-02-06
Changed in postgresql-9.1 (Ubuntu Trusty):
status: New → In Progress
Martin Pitt (pitti) on 2015-02-06
Changed in postgresql-9.1 (Ubuntu Precise):
status: New → In Progress
Martin Pitt (pitti) wrote :

8.4 for lucid requires some backporting, as it isn't supported upstream any more.

CVE-2015-0241:
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=611e110aa
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=56b970f2

CVE-2015-0242:
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=9e05c50
but this does not affect Ubuntu as it uses the glibc snprintf() there instead of its own (which is mostly for Windows).

CVE-2015-0243:
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ce6f261c
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=0a3ee8a5f

CVE-2015-0244:
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=47ba0fb

CVE-2014-8161:
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=3a2063369

Changed in postgresql-8.4 (Ubuntu Lucid):
assignee: nobody → Martin Pitt (pitti)
status: New → In Progress
Changed in postgresql-9.4 (Ubuntu Utopic):
assignee: Martin Pitt (pitti) → nobody
Martin Pitt (pitti) wrote :

Packages for precise to utopic are ready and tested: http://people.canonical.com/~pitti/packages/psql/

I'm still backporting for lucid, though.

information type: Public → Public Security
Martin Pitt (pitti) wrote :

The fix for the column privilege leaks in error messages (http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=3a2063369 , CVE-2014-8161) backports really badly to 8.4, the code changed completely. I'm really afraid of breaking something, and the importance of that is low to medium only IMHO. So I skip this one for lucid.

Martin Pitt (pitti) wrote :

lucid is now ready and tested as well.

Changed in postgresql-8.4 (Ubuntu Lucid):
assignee: Martin Pitt (pitti) → Ubuntu Security Team (ubuntu-security)
Marc Deslauriers (mdeslaur) on 2015-02-11
Changed in postgresql-8.4 (Ubuntu Lucid):
assignee: Ubuntu Security Team (ubuntu-security) → Marc Deslauriers (mdeslaur)
Changed in postgresql-9.1 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in postgresql-9.3 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in postgresql-9.4 (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.15-0ubuntu0.14.04

---------------
postgresql-9.1 (9.1.15-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream bug fix release (LP: #1418928). No effective changes for
    PL/Perl, the version must just be higher than the one in precise, to not
    break upgrades.
 -- Martin Pitt <email address hidden> Fri, 06 Feb 2015 12:53:38 +0100

Changed in postgresql-9.1 (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.3 - 9.3.6-0ubuntu0.14.04

---------------
postgresql-9.3 (9.3.6-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream security/bug fix release (LP: #1418928)
    - Fix buffer overruns in to_char() [CVE-2015-0241]
    - Fix buffer overruns in contrib/pgcrypto [CVE-2015-0243]
    - Fix possible loss of frontend/backend protocol synchronization after an
      error [CVE-2015-0244]
    - Fix information leak via constraint-violation error messages
      [CVE-2014-8161]
    - See release notes for details about other fixes:
      http://www.postgresql.org/about/news/1569/
 -- Martin Pitt <email address hidden> Fri, 06 Feb 2015 12:47:00 +0100

Changed in postgresql-9.3 (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.4 - 9.4.1-0ubuntu0.14.10

---------------
postgresql-9.4 (9.4.1-0ubuntu0.14.10) utopic-security; urgency=medium

  * New upstream security/bug fix release (LP: #1418928)
    - Fix buffer overruns in to_char() [CVE-2015-0241]
    - Fix buffer overruns in contrib/pgcrypto [CVE-2015-0243]
    - Fix possible loss of frontend/backend protocol synchronization after an
      error [CVE-2015-0244]
    - Fix information leak via constraint-violation error messages
      [CVE-2014-8161]
    - See release notes for details about other fixes:
      http://www.postgresql.org/about/news/1569/
 -- Martin Pitt <email address hidden> Fri, 06 Feb 2015 12:31:46 +0100

Changed in postgresql-9.4 (Ubuntu Utopic):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.15-0ubuntu0.12.04

---------------
postgresql-9.1 (9.1.15-0ubuntu0.12.04) precise-security; urgency=medium

  * New upstream security/bug fix release (LP: #1418928)
    - Fix buffer overruns in to_char() [CVE-2015-0241]
    - Fix buffer overruns in contrib/pgcrypto [CVE-2015-0243]
    - Fix possible loss of frontend/backend protocol synchronization after an
      error [CVE-2015-0244]
    - Fix information leak via constraint-violation error messages
      [CVE-2014-8161]
    - See release notes for details about other fixes:
      http://www.postgresql.org/about/news/1569/
 -- Martin Pitt <email address hidden> Fri, 06 Feb 2015 12:58:26 +0100

Changed in postgresql-9.1 (Ubuntu Precise):
status: In Progress → Fix Released
Marc Deslauriers (mdeslaur) on 2015-02-11
Changed in postgresql-8.4 (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in postgresql-9.4 (Ubuntu Vivid):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

Sorry, I forgot to take out the changelog message for CVE-2014-8161 from the -8.4/lucid update (see comment 4). This is misleading, there is no such patch and this vulnerability is *not* fixed in lucid.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.
Subscribing...

Other bug subscribers