Detections
Analytics

Debian DLA-491-1 : postgresql-9.1 bugfix update

high Nessus Plugin ID 91358

Language:

Synopsis

The remote Debian host is missing a security update.

Description

The PostgreSQL project released a new version of the PostgreSQL 9.1 branch :

 - Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)

This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.

 - Fix 'failed to build any N-way joins' planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)

 - Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() (Tom Lane)

These could advance off the end of the input string, causing subsequent format codes to read garbage.

 - Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)

 - Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)

This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.

 - Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)

In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.

 - Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function (Thomas Munro)

 - Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.

For Debian 7 'Wheezy', these problems have been fixed in version 9.1.22-0+deb7u1.

We recommend that you upgrade your postgresql-9.1 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2016/05/msg00044.html

https://packages.debian.org/source/wheezy/postgresql-9.1

Plugin Details

Severity: High

ID: 91358

File Name: debian_DLA-491.nasl

Version: 2.3

Type: local

Agent: unix

Published: 5/31/2016

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libecpg-compat3, p-cpe:/a:debian:debian_linux:libecpg-dev, p-cpe:/a:debian:debian_linux:libecpg6, p-cpe:/a:debian:debian_linux:libpgtypes3, p-cpe:/a:debian:debian_linux:libpq-dev, p-cpe:/a:debian:debian_linux:libpq5, p-cpe:/a:debian:debian_linux:postgresql-9.1, p-cpe:/a:debian:debian_linux:postgresql-9.1-dbg, p-cpe:/a:debian:debian_linux:postgresql-client-9.1, p-cpe:/a:debian:debian_linux:postgresql-contrib-9.1, p-cpe:/a:debian:debian_linux:postgresql-doc-9.1, p-cpe:/a:debian:debian_linux:postgresql-plperl-9.1, p-cpe:/a:debian:debian_linux:postgresql-plpython-9.1, p-cpe:/a:debian:debian_linux:postgresql-plpython3-9.1, p-cpe:/a:debian:debian_linux:postgresql-pltcl-9.1, p-cpe:/a:debian:debian_linux:postgresql-server-dev-9.1, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 5/27/2016