Debian 10260 Published by

The following Debian updates has been released:

[DSA 3154-1] ntp security update
[DSA 3155-1] postgresql-9.1 security update



[DSA 3154-1] ntp security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3154-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
February 05, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ntp
CVE ID : CVE-2014-9297 CVE-2014-9298

Several vulnerabilities were discovered in the ntp package, an
implementation of the Network Time Protocol. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2014-9297

Stephen Roettger of the Google Security Team, Sebastian Krahmer of
the SUSE Security Team and Harlan Stenn of Network Time Foundation
discovered that the length value in extension fields is not properly
validated in several code paths in ntp_crypto.c, which could lead to
information leakage or denial of service (ntpd crash).

CVE-2014-9298

Stephen Roettger of the Google Security Team reported that ACLs
based on IPv6 ::1 addresses can be bypassed.

For the stable distribution (wheezy), these problems have been fixed in
version 1:4.2.6.p5+dfsg-2+deb7u2.

For the unstable distribution (sid), these problems have been fixed in
version 1:4.2.6.p5+dfsg-4.

We recommend that you upgrade your ntp packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3155-1] postgresql-9.1 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3155-1 security@debian.org
http://www.debian.org/security/ Luciano Bello
February 06, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-9.1
CVE ID : CVE-2014-8161 CVE-2015-0241 CVE-2015-0243 CVE-2015-0244

Several vulnerabilities have been found in PostgreSQL-9.1, a SQL database
system.

CVE-2014-8161: Information leak
A user with limited clearance on a table might have access to information
in columns without SELECT rights on through server error messages.

CVE-2015-0241: Out of boundaries read/write
The function to_char() might read/write past the end of a buffer. This
might crash the server when a formatting template is processed.

CVE-2015-0243: Buffer overruns in contrib/pgcrypto
The pgcrypto module is vulnerable to stack buffer overrun that might
crash the server.

CVE-2015-0244: SQL command injection
Emil Lenngren reported that an attacker can inject SQL commands when the
synchronization between client and server is lost.

For the stable distribution (wheezy), these problems have been fixed in
version 9.1.15-0+deb7u1.

For the upcoming stable distribution (jessie), these problems have been
fixed in version 9.1.14-0+deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 9.1.15-0+deb8u1.

We recommend that you upgrade your postgresql-9.1 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/