postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilities

11 February 2016

postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 15.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

PostgreSQL could be made to crash or run programs if it handled specially crafted data.

Software Description

• postgresql-9.4 - Object-relational SQL database
• postgresql-9.3 - Object-relational SQL database
• postgresql-9.1 - Object-relational SQL database

Details

It was discovered that PostgreSQL incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service. (CVE-2016-0773)

It was discovered that PostgreSQL incorrectly handled certain configuration settings (GUCS) for users of PL/Java. A remote attacker could possibly use this issue to escalate privileges. (CVE-2016-0766)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 15.10

postgresql-9.4 - 9.4.6-0ubuntu0.15.10

Ubuntu 14.04 LTS

postgresql-9.3 - 9.3.11-0ubuntu0.14.04

Ubuntu 12.04 LTS

postgresql-9.1 - 9.1.20-0ubuntu0.12.04

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart PostgreSQL to make all the necessary changes.

References

• CVE-2016-0766
• CVE-2016-0773