USN-2894-1: PostgreSQL vulnerabilities

11 February 2016

postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

PostgreSQL could be made to crash or run programs if it handled specially crafted data.

Software Description

  • postgresql-9.4 - Object-relational SQL database
  • postgresql-9.3 - Object-relational SQL database
  • postgresql-9.1 - Object-relational SQL database

Details

It was discovered that PostgreSQL incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service. (CVE-2016-0773)

It was discovered that PostgreSQL incorrectly handled certain configuration settings (GUCS) for users of PL/Java. A remote attacker could possibly use this issue to escalate privileges. (CVE-2016-0766)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 15.10
postgresql-9.4 - 9.4.6-0ubuntu0.15.10
Ubuntu 14.04 LTS
postgresql-9.3 - 9.3.11-0ubuntu0.14.04
Ubuntu 12.04 LTS
postgresql-9.1 - 9.1.20-0ubuntu0.12.04

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart PostgreSQL to make all the necessary changes.

References