[3.2] postgresql: Security issues (CVE-2015-5288, CVE-2015-5289)
Two security issues have been fixed in this release which affect users of specific PostgreSQL features:
Unchecked JSON input can crash the server (CVE-2015-5289)
json or jsonb input values constructed from arbitrary user input can
crash the PostgreSQL server and cause a denial of service.
Memory leak in crypt() function (CVE-2015-5288)
The crypt() function included with the optional pgCrypto extension could
be exploited to read
a few additional bytes of memory. No working exploit for this issue has
been developed.
Affected versions:
9.4, 9.3, 9.2, 9.1, 9.0
Fixed in:
9.4.5, 9.3.10, 9.2.14, 9.1.19, 9.0.23
References:
http://www.postgresql.org/support/security/
http://www.postgresql.org/about/news/1615/
(from redmine: issue id 4781, created on 2015-10-20, closed on 2015-12-02)
- Relations:
- parent #4779 (closed)
- Changesets:
- Revision 2d37e1a1 by Christian Kampka on 2015-12-01T13:31:00Z:
main/postgresql: security upgrade 9.4.5 (CVE-2015-5288, CVE-2015-5289)
fixes #4781