Debian 10159 Published by

Updated postgresql and iceweasel updates has been released for Debian:

[DSA 3475-1] postgresql-9.1 security update
[DSA 3476-1] postgresql-9.4 security update
[DSA 3477-1] iceweasel security update



[DSA 3475-1] postgresql-9.1 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3475-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 13, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-9.1
CVE ID : CVE-2015-5288 CVE-2016-0766 CVE-2016-0773

Several vulnerabilities have been found in PostgreSQL-9.1, a SQL
database system.

CVE-2015-5288

Josh Kupershmidt discovered a vulnerability in the crypt() function
in the pgCrypto extension. Certain invalid salt arguments can cause
the server to crash or to disclose a few bytes of server memory.

CVE-2016-0766

A privilege escalation vulnerability for users of PL/Java was
discovered. Certain custom configuration settings (GUCs) for PL/Java
will now be modifiable only by the database superuser to mitigate
this issue.

CVE-2016-0773

Tom Lane and Greg Stark discovered a flaw in the way PostgreSQL
processes specially crafted regular expressions. Very large
character ranges in bracket expressions could cause infinite
loops or memory overwrites. A remote attacker can exploit this
flaw to cause a denial of service or, potentially, to execute
arbitrary code.

For the oldstable distribution (wheezy), these problems have been fixed
in version 9.1.20-0+deb7u1.

We recommend that you upgrade your postgresql-9.1 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3476-1] postgresql-9.4 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3476-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 13, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-9.4
CVE ID : CVE-2016-0766 CVE-2016-0773

Several vulnerabilities have been found in PostgreSQL-9.4, a SQL
database system.

CVE-2016-0766

A privilege escalation vulnerability for users of PL/Java was
discovered. Certain custom configuration settings (GUCs) for PL/Java
will now be modifiable only by the database superuser to mitigate
this issue.

CVE-2016-0773

Tom Lane and Greg Stark discovered a flaw in the way PostgreSQL
processes specially crafted regular expressions. Very large
character ranges in bracket expressions could cause infinite
loops or memory overwrites. A remote attacker can exploit this
flaw to cause a denial of service or, potentially, to execute
arbitrary code.

For the stable distribution (jessie), these problems have been fixed in
version 9.4.6-0+deb8u1.

We recommend that you upgrade your postgresql-9.4 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3477-1] iceweasel security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3477-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 14, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : iceweasel
CVE ID : CVE-2016-1523

Holger Fuhrmannek discovered that missing input sanitising in the
Graphite font rendering engine could result in the execution of arbitrary
code.

For the oldstable distribution (wheezy), this problem has been fixed
in version 38.6.1esr-1~deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 38.6.1esr-1~deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 44.0-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/