New upstream microreleases 9.1.20, 9.3.11, 9.4.6

Bug #1544576 reported by Martin Pitt on 2016-02-11
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-9.1 (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
postgresql-9.3 (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
postgresql-9.4 (Ubuntu)
Undecided
Unassigned
Wily
Undecided
Unassigned

Bug Description

PostgreSQL just announced new microreleases with a security and some bug fixes: http://www.postgresql.org/about/news/1644/

Xenial has 9.5.0 ATM, but will auto-sync 9.5.1-1 from Debian tomorrow.

Martin Pitt (pitti) on 2016-02-11
information type: Public → Public Security
Martin Pitt (pitti) on 2016-02-11
Changed in postgresql-9.4 (Ubuntu):
status: New → Invalid
Changed in postgresql-9.3 (Ubuntu):
status: New → Invalid
no longer affects: postgresql-9.3 (Ubuntu Precise)
no longer affects: postgresql-9.3 (Ubuntu Wily)
no longer affects: postgresql-9.4 (Ubuntu Precise)
Changed in postgresql-9.1 (Ubuntu):
status: New → Invalid
no longer affects: postgresql-9.4 (Ubuntu Precise)
no longer affects: postgresql-9.3 (Ubuntu Precise)
Martin Pitt (pitti) on 2016-02-11
Changed in postgresql-9.4 (Ubuntu Wily):
status: New → In Progress
Martin Pitt (pitti) on 2016-02-11
Changed in postgresql-9.1 (Ubuntu Precise):
status: New → In Progress
no longer affects: postgresql-9.4 (Ubuntu Trusty)
Changed in postgresql-9.3 (Ubuntu Trusty):
status: New → In Progress
Changed in postgresql-9.1 (Ubuntu Trusty):
status: New → In Progress
Martin Pitt (pitti) wrote :

http://people.canonical.com/~pitti/tmp/psql/ has tested (upstream/autopkgtest) updates for all supported releases.

Marc Deslauriers (mdeslaur) wrote :

Thanks pitti, I'll handle releasing these as security updates.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.20-0ubuntu0.14.04

---------------
postgresql-9.1 (9.1.20-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream release (LP: #1544576). No effective changes for PL/Perl, the
    version must just be higher than the one in precise, to not break
    upgrades.

 -- Martin Pitt <email address hidden> Thu, 11 Feb 2016 15:56:18 +0100

Changed in postgresql-9.1 (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.20-0ubuntu0.12.04

---------------
postgresql-9.1 (9.1.20-0ubuntu0.12.04) precise-security; urgency=medium

  * New upstream security/bug fix release: (LP: #1544576)
    - Fix infinite loops and buffer-overrun problems in regular expressions.
      Very large character ranges in bracket expressions could cause infinite
      loops in some cases, and memory overwrites in other cases.
      (CVE-2016-0773)
    - Prevent certain PL/Java parameters from being set by non-superusers.
      This change mitigates a PL/Java security bug (CVE-2016-0766), which was
      fixed in PL/Java by marking these parameters as superuser-only. To fix
      the security hazard for sites that update PostgreSQL more frequently
      than PL/Java, make the core code aware of them also.
    - See release notes for details about other fixes.

 -- Martin Pitt <email address hidden> Thu, 11 Feb 2016 15:41:29 +0100

Changed in postgresql-9.1 (Ubuntu Precise):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.4 - 9.4.6-0ubuntu0.15.10

---------------
postgresql-9.4 (9.4.6-0ubuntu0.15.10) wily-security; urgency=medium

  * New upstream security/bug fix release: (LP: #1544576)
    - Fix infinite loops and buffer-overrun problems in regular expressions.
      Very large character ranges in bracket expressions could cause infinite
      loops in some cases, and memory overwrites in other cases.
      (CVE-2016-0773)
    - Prevent certain PL/Java parameters from being set by non-superusers.
      This change mitigates a PL/Java security bug (CVE-2016-0766), which was
      fixed in PL/Java by marking these parameters as superuser-only. To fix
      the security hazard for sites that update PostgreSQL more frequently
      than PL/Java, make the core code aware of them also.
    - See release notes for details about other fixes.

 -- Martin Pitt <email address hidden> Thu, 11 Feb 2016 15:28:06 +0100

Changed in postgresql-9.4 (Ubuntu Wily):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.3 - 9.3.11-0ubuntu0.14.04

---------------
postgresql-9.3 (9.3.11-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream security/bug fix release: (LP: #1544576)
    - Fix infinite loops and buffer-overrun problems in regular expressions.
      Very large character ranges in bracket expressions could cause infinite
      loops in some cases, and memory overwrites in other cases.
      (CVE-2016-0773)
    - Prevent certain PL/Java parameters from being set by non-superusers.
      This change mitigates a PL/Java security bug (CVE-2016-0766), which was
      fixed in PL/Java by marking these parameters as superuser-only. To fix
      the security hazard for sites that update PostgreSQL more frequently
      than PL/Java, make the core code aware of them also.
    - See release notes for details about other fixes.

 -- Martin Pitt <email address hidden> Thu, 11 Feb 2016 15:44:43 +0100

Changed in postgresql-9.3 (Ubuntu Trusty):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers