New upstream microreleases 9.1.23, 9.3.14, 9.5.4

Bug #1614113 reported by Martin Pitt on 2016-08-17
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-9.1 (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
postgresql-9.3 (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
postgresql-9.5 (Ubuntu)
Xenial
Undecided
Martin Pitt
Yakkety
Undecided
Unassigned

Bug Description

Last week PostgreSQL published new microreleases: https://www.postgresql.org/about/news/1688/

These contain two CVEs, thus should go via -security.

Martin Pitt (pitti) wrote :

Yakkety already was autosynced:
postgresql-9.5 | 9.5.4-1 | yakkety | source, amd64, arm64, armhf, i386, powerpc, ppc64el, s390x

information type: Public → Public Security
affects: postgresql-9.4 (Ubuntu) → postgresql-9.5 (Ubuntu)
summary: - New upstream microreleases 9.1.23, 9.3.14, 9.4.9
+ New upstream microreleases 9.1.23, 9.3.14, 9.5.4
no longer affects: postgresql-9.1 (Ubuntu Yakkety)
Changed in postgresql-9.5 (Ubuntu Yakkety):
status: New → Fix Released
no longer affects: postgresql-9.5 (Ubuntu)
no longer affects: postgresql-9.5 (Ubuntu Precise)
no longer affects: postgresql-9.5 (Ubuntu Trusty)
no longer affects: postgresql-9.3 (Ubuntu Yakkety)
no longer affects: postgresql-9.3 (Ubuntu Xenial)
no longer affects: postgresql-9.3 (Ubuntu Precise)
Changed in postgresql-9.3 (Ubuntu):
status: New → Invalid
Changed in postgresql-9.1 (Ubuntu):
status: New → Invalid
no longer affects: postgresql-9.1 (Ubuntu Xenial)
Martin Pitt (pitti) wrote :

http://people.canonical.com/~pitti/tmp/psql/ now has tested (build+autopkgtest, i. e. upstream and downstream integration tests) updates for all supported releases.

Changed in postgresql-9.5 (Ubuntu Xenial):
assignee: nobody → Martin Pitt (pitti)
status: New → In Progress
Changed in postgresql-9.3 (Ubuntu Trusty):
status: New → In Progress
Changed in postgresql-9.1 (Ubuntu Trusty):
status: New → In Progress
Changed in postgresql-9.1 (Ubuntu Precise):
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.23-0ubuntu0.14.04

---------------
postgresql-9.1 (9.1.23-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream bug fix release (LP: #1614113). No effective changes for
    PL/Perl, the version must just be higher than the one in precise, to not
    break upgrades.

 -- Martin Pitt <email address hidden> Wed, 17 Aug 2016 16:30:41 +0200

Changed in postgresql-9.1 (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.23-0ubuntu0.12.04

---------------
postgresql-9.1 (9.1.23-0ubuntu0.12.04) precise-security; urgency=medium

  * New upstream security/bug fix release (LP: #1614113)
    - Fix possible mis-evaluation of nested CASE-WHEN expressions
      A CASE expression appearing within the test value subexpression of
      another CASE could become confused about whether its own test value was
      null or not. Also, inlining of a SQL function implementing the equality
      operator used by a CASE expression could result in passing the wrong
      test value to functions called within a CASE expression in the SQL
      function's body. If the test values were of different data types, a
      crash might result; moreover such situations could be abused to allow
      disclosure of portions of server memory. (CVE-2016-5423)

    - Fix client programs' handling of special characters in database and role
      names
      Numerous places in vacuumdb and other client programs could become
      confused by database and role names containing double quotes or
      backslashes. Tighten up quoting rules to make that safe. Also, ensure
      that when a conninfo string is used as a database name parameter to
      these programs, it is correctly treated as such throughout.

      Fix handling of paired double quotes in psql's \connect and \password
      commands to match the documentation.

      Introduce a new -reuse-previous option in psql's \connect command to
      allow explicit control of whether to re-use connection parameters from a
      previous connection. (Without this, the choice is based on whether the
      database name looks like a conninfo string, as before.) This allows
      secure handling of database names containing special characters in
      pg_dumpall scripts.

      pg_dumpall now refuses to deal with database and role names containing
      carriage returns or newlines, as it seems impractical to quote those
      characters safely on Windows. In future we may reject such names on the
      server side, but that step has not been taken yet.

      These are considered security fixes because crafted object names
      containing special characters could have been used to execute commands
      with superuser privileges the next time a superuser executes pg_dumpall
      or other routine maintenance operations. (CVE-2016-5424)

   - Details: https://www.postgresql.org/docs/9.1/static/release-9-1-23.html

 -- Martin Pitt <email address hidden> Wed, 17 Aug 2016 16:18:31 +0200

Changed in postgresql-9.1 (Ubuntu Precise):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.5 - 9.5.4-0ubuntu0.16.04

---------------
postgresql-9.5 (9.5.4-0ubuntu0.16.04) xenial-security; urgency=medium

  * New upstream security/bug fix release (LP: #1614113)
    - Fix possible mis-evaluation of nested CASE-WHEN expressions
      A CASE expression appearing within the test value subexpression of
      another CASE could become confused about whether its own test value was
      null or not. Also, inlining of a SQL function implementing the equality
      operator used by a CASE expression could result in passing the wrong
      test value to functions called within a CASE expression in the SQL
      function's body. If the test values were of different data types, a
      crash might result; moreover such situations could be abused to allow
      disclosure of portions of server memory. (CVE-2016-5423)

    - Fix client programs' handling of special characters in database and role
      names
      Numerous places in vacuumdb and other client programs could become
      confused by database and role names containing double quotes or
      backslashes. Tighten up quoting rules to make that safe. Also, ensure
      that when a conninfo string is used as a database name parameter to
      these programs, it is correctly treated as such throughout.

      Fix handling of paired double quotes in psql's \connect and \password
      commands to match the documentation.

      Introduce a new -reuse-previous option in psql's \connect command to
      allow explicit control of whether to re-use connection parameters from a
      previous connection. (Without this, the choice is based on whether the
      database name looks like a conninfo string, as before.) This allows
      secure handling of database names containing special characters in
      pg_dumpall scripts.

      pg_dumpall now refuses to deal with database and role names containing
      carriage returns or newlines, as it seems impractical to quote those
      characters safely on Windows. In future we may reject such names on the
      server side, but that step has not been taken yet.

      These are considered security fixes because crafted object names
      containing special characters could have been used to execute commands
      with superuser privileges the next time a superuser executes pg_dumpall
      or other routine maintenance operations. (CVE-2016-5424)

    - Details about other fixes:
      https://www.postgresql.org/docs/9.5/static/release-9-5-4.html

 -- Martin Pitt <email address hidden> Wed, 17 Aug 2016 16:12:33 +0200

Changed in postgresql-9.5 (Ubuntu Xenial):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.3 - 9.3.14-0ubuntu0.14.04

---------------
postgresql-9.3 (9.3.14-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream security/bug fix release (LP: #1614113):
    - Fix possible mis-evaluation of nested CASE-WHEN expressions
      A CASE expression appearing within the test value subexpression of
      another CASE could become confused about whether its own test value was
      null or not. Also, inlining of a SQL function implementing the equality
      operator used by a CASE expression could result in passing the wrong
      test value to functions called within a CASE expression in the SQL
      function's body. If the test values were of different data types, a
      crash might result; moreover such situations could be abused to allow
      disclosure of portions of server memory. (CVE-2016-5423)

    - Fix client programs' handling of special characters in database and role
      names
      Numerous places in vacuumdb and other client programs could become
      confused by database and role names containing double quotes or
      backslashes. Tighten up quoting rules to make that safe. Also, ensure
      that when a conninfo string is used as a database name parameter to
      these programs, it is correctly treated as such throughout.

      Fix handling of paired double quotes in psql's \connect and \password
      commands to match the documentation.

      Introduce a new -reuse-previous option in psql's \connect command to
      allow explicit control of whether to re-use connection parameters from a
      previous connection. (Without this, the choice is based on whether the
      database name looks like a conninfo string, as before.) This allows
      secure handling of database names containing special characters in
      pg_dumpall scripts.

      pg_dumpall now refuses to deal with database and role names containing
      carriage returns or newlines, as it seems impractical to quote those
      characters safely on Windows. In future we may reject such names on the
      server side, but that step has not been taken yet.

      These are considered security fixes because crafted object names
      containing special characters could have been used to execute commands
      with superuser privileges the next time a superuser executes pg_dumpall
      or other routine maintenance operations. (CVE-2016-5424)

    - Details: http://www.postgresql.org/docs/9.3/static/release-9-3-14.html

 -- Martin Pitt <email address hidden> Wed, 17 Aug 2016 16:37:41 +0200

Changed in postgresql-9.3 (Ubuntu Trusty):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers