Your submission was sent successfully! Close

CVE-2015-0244

Published: 6 February 2015

PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 does not properly handle errors while reading a protocol message, which allows remote attackers to conduct SQL injection attacks via crafted binary data in a parameter and causing an error, which triggers the loss of synchronization and part of the protocol message to be treated as a new message, as demonstrated by causing a timeout or query cancellation.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
postgresql-8.4
Launchpad, Ubuntu, Debian
lucid
Released (8.4.22-0ubuntu0.10.04.1)
precise Does not exist
(precise was needed)
trusty Does not exist

upstream Ignored
(reached end-of-life)
utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

postgresql-9.1
Launchpad, Ubuntu, Debian
lucid Does not exist

precise
Released (9.1.15-0ubuntu0.12.04)
trusty Does not exist
(trusty was released [9.1.15-0ubuntu0.14.04])
upstream
Released (9.1.15)
utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

postgresql-9.3
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

trusty
Released (9.3.6-0ubuntu0.14.04)
upstream
Released (9.3.6)
utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

postgresql-9.4
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (9.4.1)
utopic
Released (9.4.1-0ubuntu0.14.10)
vivid Not vulnerable
(9.4.1-1)
wily Not vulnerable
(9.4.1-1)
xenial Does not exist

yakkety Does not exist

zesty Does not exist