Debian 10241 Published by

The following Debian updates has been released:

[DLA-329-1] postgresql-8.4 update
[DSA 3374-1] postgresql-9.4 security update
[DSA 3375-1] wordpress security update



[DLA-329-1] postgresql-8.4 update

Package : postgresql-8.4
Version : 8.4.22lts5-0+deb6u1

Several bugs were discovered in PostgreSQL, a relational database server
system. The 8.4 branch is EOLed upstream, but still present in Debian squeeze.
This new LTS minor version contains the fixes that were applied upstream to the
9.0.22 version, backported to 8.4.22 which was the last version officially
released by the PostgreSQL developers. This LTS effort for squeeze-lts is a
community project sponsored by credativ GmbH.

## Migration to Version 8.4.22lts5

A dump/restore is not required for those running 8.4.X. However, if you are
upgrading from a version earlier than 8.4.22, see the relevant release notes.

## Security Fixes

Fix contrib/pgcrypto to detect and report too-short crypt salts (Josh
Kupershmidt)

Certain invalid salt arguments crashed the server or disclosed a few
bytes of server memory. We have not ruled out the viability of attacks
that arrange for presence of confidential information in the disclosed
bytes, but they seem unlikely. (CVE-2015-5288)



[DSA 3374-1] postgresql-9.4 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3374-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 19, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-9.4
CVE ID : CVE-2015-5288 CVE-2015-5289

Several vulnerabilities have been found in PostgreSQL-9.4, a SQL
database system.

CVE-2015-5288

Josh Kupershmidt discovered a vulnerability in the crypt() function
in the pgCrypto extension. Certain invalid salt arguments can cause
the server to crash or to disclose a few bytes of server memory.

CVE-2015-5289

Oskari Saarenmaa discovered that json or jsonb input values
constructed from arbitrary user input can crash the PostgreSQL
server and cause a denial of service.

For the stable distribution (jessie), these problems have been fixed in
version 9.4.5-0+deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 9.4.5-1.

For the unstable distribution (sid), these problems have been fixed in
version 9.4.5-1.

We recommend that you upgrade your postgresql-9.4 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3375-1] wordpress security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3375-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
October 19, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wordpress
CVE ID : CVE-2015-5714 CVE-2015-5715
Debian Bug : 799140

Several vulnerabilities have been fixed in Wordpress, the popular
blogging engine.

CVE-2015-5714

A cross-site scripting vulnerability when processing shortcode tags
has been discovered.

The issue has been fixed by not allowing unclosed HTML elements in
attributes.

CVE-2015-5715

A vulnerability has been discovered, allowing users without proper
permissions to publish private posts and make them sticky.

The issue has been fixed in the XMLRPC code of Wordpress by not
allowing private posts to be sticky.

Other issue(s)

A cross-site scripting vulnerability in user list tables has been
discovered.

The issue has been fixed by URL-escaping email addresses in those
user lists.

For the oldstable distribution (wheezy), these problems will be fixed
in later update.

For the stable distribution (jessie), these problems have been fixed in
version 4.1+dfsg-1+deb8u5.

For the testing distribution (stretch), these problems have been fixed
in version 4.3.1+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in
version 4.3.1+dfsg-1.

We recommend that you upgrade your wordpress packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/