Ubuntu
postgresql-9.1 package

New upstream microreleases 9.1.15, 9.3.6, 9.4.1

Bug #1418928 reported by Martin Pitt
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-8.4 (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Fix Released
Undecided
Marc Deslauriers
postgresql-9.1 (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Fix Released
Undecided
Marc Deslauriers
Trusty
Fix Released
Undecided
Unassigned
postgresql-9.3 (Ubuntu)
Invalid
Undecided
Unassigned
Trusty
Fix Released
Undecided
Marc Deslauriers
postgresql-9.4 (Ubuntu)
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Marc Deslauriers
Vivid
Fix Released
Undecided
Unassigned

Bug Description

PostgreSQL has released new versions yesterday: http://www.postgresql.org/about/news/1569/

These fix a bunch of security issues, as well as the usual set of bug fixes.

Revision history for this message
Martin Pitt (pitti) wrote :

https://launchpad.net/ubuntu/+source/postgresql-9.4/9.4.1-1 is in vivid-proposed, but currently stuck on some reverse test dependency failures.

no longer affects: postgresql-8.4 (Ubuntu Precise)
no longer affects: postgresql-8.4 (Ubuntu Trusty)
no longer affects: postgresql-8.4 (Ubuntu Utopic)
no longer affects: postgresql-9.1 (Ubuntu Lucid)
no longer affects: postgresql-9.4 (Ubuntu Trusty)
no longer affects: postgresql-9.4 (Ubuntu Precise)
no longer affects: postgresql-9.4 (Ubuntu Lucid)
no longer affects: postgresql-8.4 (Ubuntu Vivid)
Changed in postgresql-8.4 (Ubuntu):
status: New → Invalid
no longer affects: postgresql-9.1 (Ubuntu Vivid)
no longer affects: postgresql-9.1 (Ubuntu Utopic)
Changed in postgresql-9.1 (Ubuntu):
status: New → Invalid
no longer affects: postgresql-9.3 (Ubuntu Lucid)
no longer affects: postgresql-9.3 (Ubuntu Vivid)
no longer affects: postgresql-9.3 (Ubuntu Precise)
no longer affects: postgresql-9.3 (Ubuntu Utopic)
Changed in postgresql-9.3 (Ubuntu):
status: New → Invalid
Changed in postgresql-9.4 (Ubuntu Vivid):
status: New → Fix Committed
Martin Pitt (pitti)
Changed in postgresql-9.4 (Ubuntu Utopic):
assignee: nobody → Martin Pitt (pitti)
status: New → In Progress
Martin Pitt (pitti)
Changed in postgresql-9.3 (Ubuntu Trusty):
status: New → In Progress
Martin Pitt (pitti)
Changed in postgresql-9.1 (Ubuntu Trusty):
status: New → In Progress
Martin Pitt (pitti)
Changed in postgresql-9.1 (Ubuntu Precise):
status: New → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

8.4 for lucid requires some backporting, as it isn't supported upstream any more.

CVE-2015-0241:
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=611e110aa
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=56b970f2

CVE-2015-0242:
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=9e05c50
but this does not affect Ubuntu as it uses the glibc snprintf() there instead of its own (which is mostly for Windows).

CVE-2015-0243:
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ce6f261c
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=0a3ee8a5f

CVE-2015-0244:
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=47ba0fb

CVE-2014-8161:
  http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=3a2063369

Changed in postgresql-8.4 (Ubuntu Lucid):
assignee: nobody → Martin Pitt (pitti)
status: New → In Progress
Changed in postgresql-9.4 (Ubuntu Utopic):
assignee: Martin Pitt (pitti) → nobody
Revision history for this message
Martin Pitt (pitti) wrote :

Packages for precise to utopic are ready and tested: http://people.canonical.com/~pitti/packages/psql/

I'm still backporting for lucid, though.

information type: Public → Public Security
Revision history for this message
Martin Pitt (pitti) wrote :

The fix for the column privilege leaks in error messages (http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=3a2063369 , CVE-2014-8161) backports really badly to 8.4, the code changed completely. I'm really afraid of breaking something, and the importance of that is low to medium only IMHO. So I skip this one for lucid.

Revision history for this message
Martin Pitt (pitti) wrote :

lucid is now ready and tested as well.

Changed in postgresql-8.4 (Ubuntu Lucid):
assignee: Martin Pitt (pitti) → Ubuntu Security Team (ubuntu-security)
Marc Deslauriers (mdeslaur)
Changed in postgresql-8.4 (Ubuntu Lucid):
assignee: Ubuntu Security Team (ubuntu-security) → Marc Deslauriers (mdeslaur)
Changed in postgresql-9.1 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in postgresql-9.3 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in postgresql-9.4 (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.15-0ubuntu0.14.04

---------------
postgresql-9.1 (9.1.15-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream bug fix release (LP: #1418928). No effective changes for
    PL/Perl, the version must just be higher than the one in precise, to not
    break upgrades.
 -- Martin Pitt <email address hidden> Fri, 06 Feb 2015 12:53:38 +0100

Changed in postgresql-9.1 (Ubuntu Trusty):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.3 - 9.3.6-0ubuntu0.14.04

---------------
postgresql-9.3 (9.3.6-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream security/bug fix release (LP: #1418928)
    - Fix buffer overruns in to_char() [CVE-2015-0241]
    - Fix buffer overruns in contrib/pgcrypto [CVE-2015-0243]
    - Fix possible loss of frontend/backend protocol synchronization after an
      error [CVE-2015-0244]
    - Fix information leak via constraint-violation error messages
      [CVE-2014-8161]
    - See release notes for details about other fixes:
      http://www.postgresql.org/about/news/1569/
 -- Martin Pitt <email address hidden> Fri, 06 Feb 2015 12:47:00 +0100

Changed in postgresql-9.3 (Ubuntu Trusty):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.4 - 9.4.1-0ubuntu0.14.10

---------------
postgresql-9.4 (9.4.1-0ubuntu0.14.10) utopic-security; urgency=medium

  * New upstream security/bug fix release (LP: #1418928)
    - Fix buffer overruns in to_char() [CVE-2015-0241]
    - Fix buffer overruns in contrib/pgcrypto [CVE-2015-0243]
    - Fix possible loss of frontend/backend protocol synchronization after an
      error [CVE-2015-0244]
    - Fix information leak via constraint-violation error messages
      [CVE-2014-8161]
    - See release notes for details about other fixes:
      http://www.postgresql.org/about/news/1569/
 -- Martin Pitt <email address hidden> Fri, 06 Feb 2015 12:31:46 +0100

Changed in postgresql-9.4 (Ubuntu Utopic):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.15-0ubuntu0.12.04

---------------
postgresql-9.1 (9.1.15-0ubuntu0.12.04) precise-security; urgency=medium

  * New upstream security/bug fix release (LP: #1418928)
    - Fix buffer overruns in to_char() [CVE-2015-0241]
    - Fix buffer overruns in contrib/pgcrypto [CVE-2015-0243]
    - Fix possible loss of frontend/backend protocol synchronization after an
      error [CVE-2015-0244]
    - Fix information leak via constraint-violation error messages
      [CVE-2014-8161]
    - See release notes for details about other fixes:
      http://www.postgresql.org/about/news/1569/
 -- Martin Pitt <email address hidden> Fri, 06 Feb 2015 12:58:26 +0100

Changed in postgresql-9.1 (Ubuntu Precise):
status: In Progress → Fix Released
Marc Deslauriers (mdeslaur)
Changed in postgresql-8.4 (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in postgresql-9.4 (Ubuntu Vivid):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Sorry, I forgot to take out the changelog message for CVE-2014-8161 from the -8.4/lucid update (see comment 4). This is misleading, there is no such patch and this vulnerability is *not* fixed in lucid.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.