Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0083
Multiple vulnerabilities have been identified in PostgreSQL
12 August 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PostgreSQL
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Root Compromise -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-5424 CVE-2016-5423
Member content until: Sunday, September 11 2016
OVERVIEW
Multiple vulnerabilities have been identified in PostgreSQL prior to
versions 9.5.4, 9.4.9, 9.3.14, 9.2.18 and 9.1.23. [1]
IMPACT
The vendor has provided the following information:
"Two security holes have been closed by this release:
CVE-2016-5423: certain nested CASE expressions can cause the server
to crash.
CVE-2016-5424: database and role names with embedded special
characters can allow code injection during administrative operations
like pg_dumpall.
The fix for the second issue also adds an option, -reuse-previous,
to psql's \connect command. pg_dumpall will also refuse to handle
database and role names containing line breaks after the update."
[1]
MITIGATION
The vendor recommends updating to the latest versions. [1]
REFERENCES
[1] 2016-08-11 Security Update Release
https://www.postgresql.org/about/news/1688/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV604Cox+lLeg9Ub1AQjbJQ//eTTc1Xk0cemyBfcvcdbFllFQ1ClJGmNz
/ClrlE29RwFuaFIyMLUM82/Mtp5/yE1xZyMzrN4Qx/Qq/j27oQTK7+xQC4/HpOF3
glyyNUNBfgtUnx8ylgJ0hb0+UFBjK5T48p6LemJ0YCCHQOYS/dFkTktL8+39CDUt
C72NCrsmLVEdMoJ0OXb8M5g5bZ2P3GI/yy7dX4fYcN6nj8agsbINq4PbR0Llwix0
UKojUAKe9bxwiI41iKXYjh14CVQiY8ZlhnXUA4xAfNwg/lUNhqcqoaXT7sX2Wtfr
2+TA5t5bre20b6q/C+kfymh2qE3dcoPn6KCzbePaSOLxuXc7M883tDUb+3bj1sbe
nUKOQTAThqGJUCpqmeBl1Bd2rmUAUalcSGpY6wn0AZ/U9FmFZyeBYoyvJzBkBB8R
Ui031clydKm23iiH/CpETaNNn7rn9wOuU4aac5htsw8ONHL2pVu5G6Sw4nUsJbzl
PAn78LgpCrE48KpwJwcHsjPjwFda4hBnE2Dd9Bl4I3dWrclyc6GDGPxFZCx6Hci8
TsYWuEVEEqMaOTmwYvctpGya2dD+DDL01N8Kb7SStneHQA/6ERTWAu6vZj1xsO9y
gAK5gk8NSBgg/SF4zL4/vHetXZnXvw5YnqtBPeFqpKgszpY29QULH/9oh1CAhG15
Eb8bxpBl7BU=
=CMy+
-----END PGP SIGNATURE-----