PostgreSQL Security Update: Fixes for CVE-2015-5289 (DoS) and CVE-2015-5287 (Memory Read)

Critical Vulnerability Information Release Information Release Date: 2015-10-08 Released Versions: All supported PostgreSQL versions (including 9.4.5, 9.3.10, 9.2.14, 9.1.19, and 9.0.23) Security Fixes CVE-2015-5289: JSON or jsonb input values constructed from arbitrary user input could cause the PostgreSQL server to crash, resulting in a denial of service. CVE-2015-5287: The crypt() function included in the optional pgCrypto extension could be exploited to read additional bytes from memory. No working exploit has been developed for this issue at this time. Other Fixes and Improvements Prevent server crashes caused by deeply nested regular expressions, LIKE, and SIMILAR matches Multiple fixes related to regular expression processing Ensure ALTER TABLE commands set all necessary locks for CONSTRAINT modifications Fix subtransaction cleanup when cursors fail, preventing crashes Prevent deadlocks during WAL insertion when commit_delay is set Fix locking issues when updating updatable views Prevent corruption of “init file” relation cache Improve performance of large SPI query results Improve LISTEN startup time Disable SSL renegotiation by default Lower the minimum value for the *freeze_max_age parameter Limit wal_buffers maximum value to 2GB Protect against potential stack overflows in multiple areas Fix handling of DOW and DOY in date/time input Allow faster cancellation of regular expression queries Fix multiple planner bugs Fix multiple shutdown issues in postmaster Make autovacuum wraparound more robust Fix minor issues in GIN and SP-GIST indexes Fix multiple issues in PL/Python, PL/Perl, and PL/Tcl Improve garbage collection in pg_stat_statements Improve sorting handling in pgsql_fdw Improve libpq handling under memory exhaustion conditions Prevent psql from crashing when no current connection exists Multiple fixes for pg_dump, including file and object permissions Improve privilege handling when dumping from older PostgreSQL versions Fix support issues for Alpha, PPC, AIX, and Solaris platforms Fix startup issues for Chinese locale settings on Windows Fix Windows install.bat script handling of spaces in filenames Make PostgreSQL version numbers numeric and available as extensions Final 9.0 Release Update 9.0.23 is the final update for major version 9.0, which is now officially end-of-life (EOL) as planned. No future security updates will be provided for version 9.0. Users of this version should plan to upgrade to another major version as soon as possible. For more information on community support policies and EOL timelines, see “Version Policy”.

Goal Reached Thanks to every supporter — we hit 100%!

PostgreSQL Security Update: Fixes for CVE-2015-5289 (DoS) and CVE-2015-5287 (Memory Read)