New upstream microreleases 9.1.20, 9.3.11, 9.4.6

Bug #1544576 reported by Martin Pitt
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-9.1 (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
postgresql-9.3 (Ubuntu)
Invalid
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
postgresql-9.4 (Ubuntu)
Invalid
Undecided
Unassigned
Wily
Fix Released
Undecided
Unassigned

Bug Description

PostgreSQL just announced new microreleases with a security and some bug fixes: http://www.postgresql.org/about/news/1644/

Xenial has 9.5.0 ATM, but will auto-sync 9.5.1-1 from Debian tomorrow.

Martin Pitt (pitti)
information type: Public → Public Security
Martin Pitt (pitti)
Changed in postgresql-9.4 (Ubuntu):
status: New → Invalid
Changed in postgresql-9.3 (Ubuntu):
status: New → Invalid
no longer affects: postgresql-9.3 (Ubuntu Precise)
no longer affects: postgresql-9.3 (Ubuntu Wily)
no longer affects: postgresql-9.4 (Ubuntu Precise)
Changed in postgresql-9.1 (Ubuntu):
status: New → Invalid
no longer affects: postgresql-9.4 (Ubuntu Precise)
no longer affects: postgresql-9.3 (Ubuntu Precise)
Martin Pitt (pitti)
Changed in postgresql-9.4 (Ubuntu Wily):
status: New → In Progress
Martin Pitt (pitti)
Changed in postgresql-9.1 (Ubuntu Precise):
status: New → In Progress
no longer affects: postgresql-9.4 (Ubuntu Trusty)
Changed in postgresql-9.3 (Ubuntu Trusty):
status: New → In Progress
Changed in postgresql-9.1 (Ubuntu Trusty):
status: New → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

http://people.canonical.com/~pitti/tmp/psql/ has tested (upstream/autopkgtest) updates for all supported releases.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks pitti, I'll handle releasing these as security updates.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.20-0ubuntu0.14.04

---------------
postgresql-9.1 (9.1.20-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream release (LP: #1544576). No effective changes for PL/Perl, the
    version must just be higher than the one in precise, to not break
    upgrades.

 -- Martin Pitt <email address hidden> Thu, 11 Feb 2016 15:56:18 +0100

Changed in postgresql-9.1 (Ubuntu Trusty):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.20-0ubuntu0.12.04

---------------
postgresql-9.1 (9.1.20-0ubuntu0.12.04) precise-security; urgency=medium

  * New upstream security/bug fix release: (LP: #1544576)
    - Fix infinite loops and buffer-overrun problems in regular expressions.
      Very large character ranges in bracket expressions could cause infinite
      loops in some cases, and memory overwrites in other cases.
      (CVE-2016-0773)
    - Prevent certain PL/Java parameters from being set by non-superusers.
      This change mitigates a PL/Java security bug (CVE-2016-0766), which was
      fixed in PL/Java by marking these parameters as superuser-only. To fix
      the security hazard for sites that update PostgreSQL more frequently
      than PL/Java, make the core code aware of them also.
    - See release notes for details about other fixes.

 -- Martin Pitt <email address hidden> Thu, 11 Feb 2016 15:41:29 +0100

Changed in postgresql-9.1 (Ubuntu Precise):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.4 - 9.4.6-0ubuntu0.15.10

---------------
postgresql-9.4 (9.4.6-0ubuntu0.15.10) wily-security; urgency=medium

  * New upstream security/bug fix release: (LP: #1544576)
    - Fix infinite loops and buffer-overrun problems in regular expressions.
      Very large character ranges in bracket expressions could cause infinite
      loops in some cases, and memory overwrites in other cases.
      (CVE-2016-0773)
    - Prevent certain PL/Java parameters from being set by non-superusers.
      This change mitigates a PL/Java security bug (CVE-2016-0766), which was
      fixed in PL/Java by marking these parameters as superuser-only. To fix
      the security hazard for sites that update PostgreSQL more frequently
      than PL/Java, make the core code aware of them also.
    - See release notes for details about other fixes.

 -- Martin Pitt <email address hidden> Thu, 11 Feb 2016 15:28:06 +0100

Changed in postgresql-9.4 (Ubuntu Wily):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.3 - 9.3.11-0ubuntu0.14.04

---------------
postgresql-9.3 (9.3.11-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream security/bug fix release: (LP: #1544576)
    - Fix infinite loops and buffer-overrun problems in regular expressions.
      Very large character ranges in bracket expressions could cause infinite
      loops in some cases, and memory overwrites in other cases.
      (CVE-2016-0773)
    - Prevent certain PL/Java parameters from being set by non-superusers.
      This change mitigates a PL/Java security bug (CVE-2016-0766), which was
      fixed in PL/Java by marking these parameters as superuser-only. To fix
      the security hazard for sites that update PostgreSQL more frequently
      than PL/Java, make the core code aware of them also.
    - See release notes for details about other fixes.

 -- Martin Pitt <email address hidden> Thu, 11 Feb 2016 15:44:43 +0100

Changed in postgresql-9.3 (Ubuntu Trusty):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.