-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 21 May 2015 16:35:28 +0200 Source: postgresql-9.1 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.1 postgresql-9.1-dbg postgresql-client-9.1 postgresql-server-dev-9.1 postgresql-doc-9.1 postgresql-contrib-9.1 postgresql-plperl-9.1 postgresql-plpython-9.1 postgresql-plpython3-9.1 postgresql-pltcl-9.1 Architecture: source amd64 all Version: 9.1.16-0+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org> Changed-By: Christoph Berg <christoph.berg@credativ.de> Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 9.1 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-9.1 - object-relational SQL database, version 9.1 server postgresql-9.1-dbg - debug symbols for postgresql-9.1 postgresql-client-9.1 - front-end programs for PostgreSQL 9.1 postgresql-contrib-9.1 - additional facilities for PostgreSQL postgresql-doc-9.1 - documentation for the PostgreSQL database management system postgresql-plperl-9.1 - PL/Perl procedural language for PostgreSQL 9.1 postgresql-plpython-9.1 - PL/Python procedural language for PostgreSQL 9.1 postgresql-plpython3-9.1 - PL/Python 3 procedural language for PostgreSQL 9.1 postgresql-pltcl-9.1 - PL/Tcl procedural language for PostgreSQL 9.1 postgresql-server-dev-9.1 - development files for PostgreSQL 9.1 server-side programming Changes: postgresql-9.1 (9.1.16-0+deb7u1) wheezy-security; urgency=medium . * New upstream version. . + Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) . If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . + In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) . Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) . * Repository moved to git, update Vcs headers. Checksums-Sha1: 79292c0ffc48c676947cacae4614f93c312adce9 3339 postgresql-9.1_9.1.16-0+deb7u1.dsc 49597dc03666fb3165093edab13fecb2b919087d 39811 postgresql-9.1_9.1.16-0+deb7u1.debian.tar.gz 46d2b4f8a9268f75a34ad31fba64fd7ff1c09d7e 193690 libpq-dev_9.1.16-0+deb7u1_amd64.deb 5c2d88c203fa278f016d8de56d0843190bdef4e1 138276 libpq5_9.1.16-0+deb7u1_amd64.deb 52eab4590f1110749558c4fba59e497b006299a5 95224 libecpg6_9.1.16-0+deb7u1_amd64.deb 114c75f86fadbf1027f52750b93c6972de6eda62 226812 libecpg-dev_9.1.16-0+deb7u1_amd64.deb fe3827d25750f7368285094ef0f5ec745608756e 32944 libecpg-compat3_9.1.16-0+deb7u1_amd64.deb e08b4b05a4638ccdc1b1153c19581335b769125f 54180 libpgtypes3_9.1.16-0+deb7u1_amd64.deb 4e98250f872f115787dd0e33bfb54e497021b53c 3313604 postgresql-9.1_9.1.16-0+deb7u1_amd64.deb ab8438880f09bd0cde9d8ec52a25deafed22a958 6717724 postgresql-9.1-dbg_9.1.16-0+deb7u1_amd64.deb 367eee3a5320382fb2eb64fb230c7d489b10c9ab 998246 postgresql-client-9.1_9.1.16-0+deb7u1_amd64.deb cee9e7c90fff03cdfac40af601c4beb38ff468d0 554956 postgresql-server-dev-9.1_9.1.16-0+deb7u1_amd64.deb 1b85b9d627b393a2f0a184ea263d0e0fd3b7de5a 1642406 postgresql-doc-9.1_9.1.16-0+deb7u1_all.deb 29d5e75a986afb756c050b16c786c9e837030fd1 364536 postgresql-contrib-9.1_9.1.16-0+deb7u1_amd64.deb ef380fb97503ee4c7fdd3968ea1573a435544d19 73388 postgresql-plperl-9.1_9.1.16-0+deb7u1_amd64.deb 016fb83afb386e7c9beedd9751a67d268a7b05af 57500 postgresql-plpython-9.1_9.1.16-0+deb7u1_amd64.deb 5dc0558a6afb373c0ee9045a11929429ad12291c 57222 postgresql-plpython3-9.1_9.1.16-0+deb7u1_amd64.deb a03abc2e2a3c91b7938e6114972954dffa003542 47548 postgresql-pltcl-9.1_9.1.16-0+deb7u1_amd64.deb Checksums-Sha256: ed5d8044e5df2ae1aba0fc8aa55eb700d47fd21d9c7af3ce56e1b3d1fbb64ce7 3339 postgresql-9.1_9.1.16-0+deb7u1.dsc bb6f9f73806c074c8195d18d1de18e24be40334c29fb428e884afa7156d0f354 39811 postgresql-9.1_9.1.16-0+deb7u1.debian.tar.gz a0032187f954b615eeb3b137105921e96069acc3b6c7c23c3008c12f1f21b7ee 193690 libpq-dev_9.1.16-0+deb7u1_amd64.deb dab324f5bf400e64f55a4a62b62b61869a2cc4050eeb9f87bfc44f8c6af27919 138276 libpq5_9.1.16-0+deb7u1_amd64.deb ddc5a4df72a0c43ea48cf4c65a32c4d4f6d1fecd0935deaa54d5859417f1eaa1 95224 libecpg6_9.1.16-0+deb7u1_amd64.deb b20db5513e88f37374dd41ec36a10852ac92bca8d7399b485e73369bf67d3988 226812 libecpg-dev_9.1.16-0+deb7u1_amd64.deb 5e4318f108a3ed6f797b69029ab87ac290face0ddd03a6922f72060a4f615fe5 32944 libecpg-compat3_9.1.16-0+deb7u1_amd64.deb c0d412ac1e2a5c3d5577c083c624a5c78661ff99f420530c49256984d7397cbc 54180 libpgtypes3_9.1.16-0+deb7u1_amd64.deb ffa3d2e4e6e27761642459a8e2d75fe5ef3249e2948036c83235f8cc08cfad2b 3313604 postgresql-9.1_9.1.16-0+deb7u1_amd64.deb 11b503268f8e18ec7cdec065da927eb32db04086e67b4a050f57d9b018a40447 6717724 postgresql-9.1-dbg_9.1.16-0+deb7u1_amd64.deb 5be13f04cf82d8214de6b5e5f22c9b0d8c0b52a0990e762b527ca5f2db603dcb 998246 postgresql-client-9.1_9.1.16-0+deb7u1_amd64.deb bcfbaba7d595eba09823611ae981b6044832dc72027e8b50ffa75ad02a05d12e 554956 postgresql-server-dev-9.1_9.1.16-0+deb7u1_amd64.deb d25f4140914092f136ebd02ec0b7245945f19df355f1770e2cbacbb976c49064 1642406 postgresql-doc-9.1_9.1.16-0+deb7u1_all.deb c0021537c2e1af53f3c2eecbc0b6c1167bf0b89359c3e4cbff64f0373581e50b 364536 postgresql-contrib-9.1_9.1.16-0+deb7u1_amd64.deb b872a9a8c2eca3634db1f4b81711dba657b74ef014854b07fa8bcb577d88dbcf 73388 postgresql-plperl-9.1_9.1.16-0+deb7u1_amd64.deb ae8a9952c18c873547c03d86cf68ee2c3e98d175d28a6dddd44d7992605ffebf 57500 postgresql-plpython-9.1_9.1.16-0+deb7u1_amd64.deb 53040570f709856f4d3c98789391a9c2331f54270a4676d6fdcb1efbea5700ca 57222 postgresql-plpython3-9.1_9.1.16-0+deb7u1_amd64.deb 6900b5a25251ae32798ba99d61df99139fa0861734c815149c48d91f625b0cde 47548 postgresql-pltcl-9.1_9.1.16-0+deb7u1_amd64.deb Files: 3365da7cbee4818b56a154001b47c1d9 3339 database optional postgresql-9.1_9.1.16-0+deb7u1.dsc 23f08be97df25b23cef20a691b3adf34 39811 database optional postgresql-9.1_9.1.16-0+deb7u1.debian.tar.gz ff355328a1962b640da062406f5256b2 193690 libdevel optional libpq-dev_9.1.16-0+deb7u1_amd64.deb 090edb4eef0378cbb9c0c734da9f08a1 138276 libs optional libpq5_9.1.16-0+deb7u1_amd64.deb cd7f3998e2ce9b88e46dbf44ceb7580d 95224 libs optional libecpg6_9.1.16-0+deb7u1_amd64.deb 7465c49b4efc74dde578e6492f38f6c8 226812 libdevel optional libecpg-dev_9.1.16-0+deb7u1_amd64.deb 8ac276364c103f37b73f86f21297617c 32944 libs optional libecpg-compat3_9.1.16-0+deb7u1_amd64.deb 7fe7f5b181135a1baa83f54dcbdfe20a 54180 libs optional libpgtypes3_9.1.16-0+deb7u1_amd64.deb 6f5e7a9a7f6e0049cbf06ab5eaaf1bd8 3313604 database optional postgresql-9.1_9.1.16-0+deb7u1_amd64.deb 432b86894181b835e729af8e3e4cb4d0 6717724 debug extra postgresql-9.1-dbg_9.1.16-0+deb7u1_amd64.deb 85585ddb5966929feba7f00d2ca86fe4 998246 database optional postgresql-client-9.1_9.1.16-0+deb7u1_amd64.deb b5008d42432f52ca218b598a11320191 554956 libdevel optional postgresql-server-dev-9.1_9.1.16-0+deb7u1_amd64.deb 16923b5e11ac642933d422dba81293fe 1642406 doc optional postgresql-doc-9.1_9.1.16-0+deb7u1_all.deb 3b0834c91481b23f0a83c1b3ae776a61 364536 database optional postgresql-contrib-9.1_9.1.16-0+deb7u1_amd64.deb 13a3cc5be0e3f3f5aac0c8593ac36a38 73388 database optional postgresql-plperl-9.1_9.1.16-0+deb7u1_amd64.deb e3a14e72114d61202df88d1105e6154a 57500 database optional postgresql-plpython-9.1_9.1.16-0+deb7u1_amd64.deb 9914da8798ac1078ec2471b5e53b5dbf 57222 database optional postgresql-plpython3-9.1_9.1.16-0+deb7u1_amd64.deb 3a4fbb667c0ce72b769e327b9fd448d0 47548 database optional postgresql-pltcl-9.1_9.1.16-0+deb7u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJVXfG/AAoJEExaa6sS0qeu1B4P/AhRXv8MEHPmTbE/qPhLsxnt zkGUaHjJEifFKgJ5RCNaRgn9kFsb9Gsyl3hDyqnJk6+CH6PuxEf0zuQ+OuL8+zbI dkIPAhytZGGHhJsaUoH5P2S9JVoMqtuo2jJMYl0sO5j/BpiewiNnlRv40ciIr9SI lDbTojBxkXy7Q7xKFhdhs+zCK3RIlF86xqlIe1zGn8mCQrSaBwaGVW6c6AgTvf3c KIuHVqt0T+1MW+FkCSZr5D+PDsUPSDYBm6GLMvVt9Tf7wm+oG/jeQKPtY3PXI+zU rmqvUlSo4bwjNPyJ6rFSCw77npgEESvm1/g6csdXO0u+JjyjyPtjyUEh3PMcSjuQ orb4z5yDojA14AXMW/PMiw5bg4FeFgi88KdjG1xYVdsM/fJjkWEvYH0ZQs+dHYzt /JAYeP87GU2VxeC1Eq6TJAc1yTclU5z/oBwaj/xrn8jGuGR5Wgd48ZacopuPRK2J 1VZhvSXNCvKSQ7ecjJD4tyGn2V6f5GdydhEJyTrqfjzDfwAhe9nap/tJKOJNqvV+ 0Gq2BOFSJNjt7K6Fe5DtYXkIc8iOEeW73fXYyZCw4rjHdSED9pQKWnIlGpmX+5gL DGvIIvsndFMExw/A1Fnkw80dKDAOckJqRKXfJNWKze+QsWP3JzrUE6HQOh61ALWL aK6tdG/SCfzlxpn8j96M =4IRz -----END PGP SIGNATURE-----