USN-2772-1: PostgreSQL vulnerabilities
16 October 2015
PostgreSQL could be made to crash or expose private information if it handled specially crafted data.
- postgresql-9.1 - Object-relational SQL database
- postgresql-9.3 - Object-relational SQL database
- postgresql-9.4 - Object-relational SQL database
Josh Kupershmidt discovered the pgCrypto extension could expose
several bytes of server memory if the crypt() function was provided a
too-short salt. An attacker could use this flaw to read private data.
Oskari Saarenmaa discovered that the json and jsonb handlers could exhaust
available stack space. An attacker could use this flaw to perform a denial
of service attack. This issue only affected Ubuntu 14.04 LTS and Ubuntu
The problem can be corrected by updating your system to the following package versions:
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.