USN-3066-1: PostgreSQL vulnerabilities

18 August 2016

Several security issues were fixed in PostgreSQL.

Releases

Packages

  • postgresql-9.1 - Object-relational SQL database
  • postgresql-9.3 - Object-relational SQL database
  • postgresql-9.5 - object-relational SQL database

Details

Heikki Linnakangas discovered that PostgreSQL incorrectly handled certain
nested CASE/WHEN expressions. A remote attacker could possibly use this
issue to cause PostgreSQL to crash, resulting in a denial of service.
(CVE-2016-5423)

Nathan Bossart discovered that PostgreSQL incorrectly handled special
characters in database and role names. A remote attacker could possibly use
this issue to escalate privileges. (CVE-2016-5424)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04
Ubuntu 14.04
Ubuntu 12.04

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.