Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0098 A number of vulnerabilities have been identified in PostgreSQL 12 October 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PostgreSQL Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-5289 CVE-2015-5288 Member content until: Wednesday, November 11 2015 OVERVIEW A number of vulnerabilities have been identified in PostgreSQL versions 9.4.5, 9.3.10, 9.2.14, 9.1.19 and 9.0.23. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: "Two security issues have been fixed in this release which affect users of specific PostgreSQL features: CVE-2015-5289: json or jsonb input values constructed from arbitrary user input can crash the PostgreSQL server and cause a denial of service. CVE-2015-5288: The crypt() function included with the optional pgCrypto extension could be exploited to read a few additional bytes of memory. No working exploit for this issue has been developed." [1] MITIGATION An update has been released to correct these issues, which also disables SSL renegotiation by default, which was previously enabled by default. [1] REFERENCES [1] 2015-10-08 Security Update Release http://www.postgresql.org/about/news/1615/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVhsx4n6ZAP0PgtI9AQKxCw/+NP1pjlNmyn3hzf9iPR7n0P/ZmcPoSiCN CnjL3fF2pbnwNMesFzRr3jwHAUwEwSqXD1T+MVuptOLVdDR5PhBabgqPc7pSIo1i snxoGw1rLvhTBcTE/b+Ph6NNn9SitEtcQpJ6jIbU2JbMnsumDDu/zZlrRAskkEvh bMyuUkzLdskKQi6ErY1aNgImUBWQK0iUGdjRfKUm+DQF6mNctZHv4Oyj+9hVVK6J y8RUz/zgkFMcYCUKsdR19On8VloxC97XqCU2wXB0v5g9NW0NEwD8NZxDOp9dbLNH 6x8ezOipfssH1Vf5BVW0hJxwDEhj3uryU/PnE5fQYtRO/S6zCgbqCFafM9REFDKD v208bgCqvbFYEmU8mlf1Nfm9+xxgwd4RmmBg5Dh2X4u71yaOY3NQoP39WtyJGgzg ZL4URhVVTJrEvYGtYgaZJzUHMd0x1CeI7zwj8jSvnHB1cPYrllkiKPo9afWzZNVT jbidzZ6EBZ/cwgsMeEewd8kJzb3AOnonQ/uAS0qH06s6yW31MUdoA1o8jhsFRe0D aZ0oKFgz80Gbji/cTMKF/IF9mcE3xYH4QZP1HsV7KEjel9AsLy4W2GUK5T74QnjB YY6qTc6MQ5oHnEFarn4T+hobppjDHIQ4eNgesfKCm7WSczCisMjqAvgDS7dtTrEF Bn9kkmepvKk= =8/3J -----END PGP SIGNATURE-----