Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2016.0040 Multiple vulnerabilities have been identified in PostgreSQL 13 April 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PostgreSQL Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Existing Account Access Confidential Data -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-3065 CVE-2016-2193 Member content until: Friday, May 13 2016 OVERVIEW Multiple vulnerabilities have been identified in PostgreSQL versions 9.5.2, 9.4.7, 9.3.12, 9.2.16, and 9.1.21. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: "This release closes security hole CVE-2016-2193, where a query plan might get reused for more than one ROLE in the same session. This could cause the wrong set of Row Level Security (RLS) policies to be used for the query. The update also fixes CVE-2016-3065, a server crash bug triggered by using pageinspect with BRIN index pages. Since an attacker might be able to expose a few bytes of server memory, this crash is being treated as a security issue." [1] MITIGATION Then vendor recommends users upgrade to the latest version to fix these issues. [1] REFERENCES [1] 2016-03-31 Security Update Release http://www.postgresql.org/about/news/1656/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVw2/AX6ZAP0PgtI9AQJSkhAAiSmmaDwJoMA8GGb+WqLSt1zO9mWEhSMH WuBM8q1D/u5uJqOF3g8l+qN+hGBCdMmMqo6jgicJFFQ3NIG/j7f9L90VubEoAh8l wba7tuuQsBUWZw9P5B+uF49IOvuRvjAyXesIvEK0ECVLzlNw3+cFkGGaEFQhYHhh u0gj1GPfqqv/NJuATiFL+unPsbjT47vijacOtTc71aF3MogIeaZ1EC/aVt7mPCFL i/TQbhVoNGnKJYsEYdIsCHHk3aS9fpbuNzib7/RIynbofDt829/T63f2ESKl4/y+ FJgrObgymAga/ATlU9lWQOms7Zq6OK2ByIFxfegM3J5Lx6hY0fp4NanD8GOLPKHE u+howj60qy+6/uDAmGOlMA6ge1+9IRFvLtG3oG4dlUT46K28p2hs/ttktDnADAGb ElAj6ryAmM54iOGDVJuf7wRQh+OtsvwFp+O8Mi9cvgmSGncPJL05N4iIoRL6SPf0 Gixo4g+YUTKMs/FU7KLx48FagCVmGKCXm6XT8p7lXFlTYj1mLj549Y6MRKkjbtlo BX3k7tglCpQU09AvTKOVjnNBinZSjC/h4iLjeV71LN045je0U5wviySliZabRl39 L71Zg5HpUCmYwf3wjnFSV5Xi7jiRniDLWdIVpNVLwtC+AucXNFCMhnNXv+mYYXmU Vbj5H90/FL0= =uG8y -----END PGP SIGNATURE-----