Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0083 Multiple vulnerabilities have been identified in PostgreSQL 12 August 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PostgreSQL Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Root Compromise -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-5424 CVE-2016-5423 Member content until: Sunday, September 11 2016 OVERVIEW Multiple vulnerabilities have been identified in PostgreSQL prior to versions 9.5.4, 9.4.9, 9.3.14, 9.2.18 and 9.1.23. [1] IMPACT The vendor has provided the following information: "Two security holes have been closed by this release: CVE-2016-5423: certain nested CASE expressions can cause the server to crash. CVE-2016-5424: database and role names with embedded special characters can allow code injection during administrative operations like pg_dumpall. The fix for the second issue also adds an option, -reuse-previous, to psql's \connect command. pg_dumpall will also refuse to handle database and role names containing line breaks after the update." [1] MITIGATION The vendor recommends updating to the latest versions. [1] REFERENCES [1] 2016-08-11 Security Update Release https://www.postgresql.org/about/news/1688/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV604Cox+lLeg9Ub1AQjbJQ//eTTc1Xk0cemyBfcvcdbFllFQ1ClJGmNz /ClrlE29RwFuaFIyMLUM82/Mtp5/yE1xZyMzrN4Qx/Qq/j27oQTK7+xQC4/HpOF3 glyyNUNBfgtUnx8ylgJ0hb0+UFBjK5T48p6LemJ0YCCHQOYS/dFkTktL8+39CDUt C72NCrsmLVEdMoJ0OXb8M5g5bZ2P3GI/yy7dX4fYcN6nj8agsbINq4PbR0Llwix0 UKojUAKe9bxwiI41iKXYjh14CVQiY8ZlhnXUA4xAfNwg/lUNhqcqoaXT7sX2Wtfr 2+TA5t5bre20b6q/C+kfymh2qE3dcoPn6KCzbePaSOLxuXc7M883tDUb+3bj1sbe nUKOQTAThqGJUCpqmeBl1Bd2rmUAUalcSGpY6wn0AZ/U9FmFZyeBYoyvJzBkBB8R Ui031clydKm23iiH/CpETaNNn7rn9wOuU4aac5htsw8ONHL2pVu5G6Sw4nUsJbzl PAn78LgpCrE48KpwJwcHsjPjwFda4hBnE2Dd9Bl4I3dWrclyc6GDGPxFZCx6Hci8 TsYWuEVEEqMaOTmwYvctpGya2dD+DDL01N8Kb7SStneHQA/6ERTWAu6vZj1xsO9y gAK5gk8NSBgg/SF4zL4/vHetXZnXvw5YnqtBPeFqpKgszpY29QULH/9oh1CAhG15 Eb8bxpBl7BU= =CMy+ -----END PGP SIGNATURE-----