New upstream microreleases 9.1.19, 9.3.10, 9.4.5

9.4.5-1 just landed in sid, will sync in a few hours when it got imported into LP.

http://people.canonical.com/~pitti/tmp/psql/ now has packages for vivid, trusty, and precise. They all pass the upstream tests, and vivid and trusty also pass their integration test suite (via autopkgtest). The precise packages fail their autopkgtest as usual, same errors as in http://autopkgtest.ubuntu.com/packages/p/postgresql-9.1/precise/amd64/ thus no regression.

https://launchpad.net/ubuntu/+source/postgresql-9.4/9.4.5-1 just landed in wily.

Thanks, Martin, reviewing these now.

This bug was fixed in the package postgresql-9.1 - 9.1.19-0ubuntu0.14.04

---------------
postgresql-9.1 (9.1.19-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream bug fix release (LP: #1504132). No effective changes for
    PL/Perl, the version must just be higher than the one in precise, to not
    break upgrades.

 -- Martin Pitt <email address hidden> Thu, 08 Oct 2015 15:52:45 +0200

This bug was fixed in the package postgresql-9.3 - 9.3.10-0ubuntu0.14.04

---------------
postgresql-9.3 (9.3.10-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream security/bug fix release: (LP: #1504132)
    - Guard against stack overflows in json parsing.
      If an application constructs PostgreSQL json or jsonb values from
      arbitrary user input, the application's users can reliably crash the
      PostgreSQL server, causing momentary denial of service. (CVE-2015-5289)

    - Fix contrib/pgcrypto to detect and report too-short crypt() salts
      Certain invalid salt arguments crashed the server or disclosed a few
      bytes of server memory. We have not ruled out the viability of attacks
      that arrange for presence of confidential information in the disclosed
      bytes, but they seem unlikely. (CVE-2015-5288)

    - See release notes for details about other fixes.

 -- Martin Pitt <email address hidden> Thu, 08 Oct 2015 15:42:16 +0200

This bug was fixed in the package postgresql-9.4 - 9.4.5-0ubuntu0.15.04

---------------
postgresql-9.4 (9.4.5-0ubuntu0.15.04) vivid-security; urgency=medium

  * New upstream security/bug fix release: (LP: #1504132)
    - Guard against stack overflows in json parsing.
      If an application constructs PostgreSQL json or jsonb values from
      arbitrary user input, the application's users can reliably crash the
      PostgreSQL server, causing momentary denial of service. (CVE-2015-5289)

    - Fix contrib/pgcrypto to detect and report too-short crypt() salts
      Certain invalid salt arguments crashed the server or disclosed a few
      bytes of server memory. We have not ruled out the viability of attacks
      that arrange for presence of confidential information in the disclosed
      bytes, but they seem unlikely. (CVE-2015-5288)

    - See release notes for details about other fixes.

 -- Martin Pitt <email address hidden> Thu, 08 Oct 2015 15:36:31 +0200

This bug was fixed in the package postgresql-9.1 - 9.1.19-0ubuntu0.12.04

---------------
postgresql-9.1 (9.1.19-0ubuntu0.12.04) precise-security; urgency=medium

  * New upstream security/bug fix release (LP: #1504132)
    - Fix contrib/pgcrypto to detect and report too-short crypt() salts
      Certain invalid salt arguments crashed the server or disclosed a few
      bytes of server memory. We have not ruled out the viability of attacks
      that arrange for presence of confidential information in the disclosed
      bytes, but they seem unlikely. (CVE-2015-5288)
    - See release notes for details about other fixes.

 -- Martin Pitt <email address hidden> Thu, 08 Oct 2015 16:03:41 +0200