Bugzilla – Bug 966436
VUL-0: CVE-2016-0773: postgresql: buffer overrun in regular expression processing
Last modified: 2018-11-07 16:28:38 UTC
http://www.postgresql.org/about/news/1644/ http://www.postgresql.org/docs/current/static/release-9-5-1.html Release Notes 9.5.1: Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane) Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773) References: https://bugzilla.redhat.com/show_bug.cgi?id=1303832 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0773 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0773.html
bugbot adjusting priority
1. What is SLE10 TD? 2. Several of the issues mentioned in SMASH have already been fixed with the previous update. 3. Please also include the pending request for postgresql-init (94822) in this update.
I have a customer who has asked if this will be addressed for sles11 sp3 and sp4. Do you know if it will and if you have an eta? Thanks so much.
The SLE-11-SP1 package will also show up on SP3 and SP4. As for the eta, the packaging part is done, but I don't know how long it will take to pass through QA and get released.
That sounds great. Thanks very much Reinhard.
openSUSE-SU-2016:0531-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 966435,966436 CVE References: CVE-2007-4772,CVE-2016-0766,CVE-2016-0773 Sources used: openSUSE Leap 42.1 (src): postgresql-init-9.4-6.1, postgresql93-9.3.11-3.2, postgresql93-libs-9.3.11-3.2 openSUSE 13.2 (src): postgresql93-9.3.11-2.10.1, postgresql93-libs-9.3.11-2.10.1
SUSE-SU-2016:0539-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 966435,966436 CVE References: CVE-2007-4772,CVE-2016-0766,CVE-2016-0773 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): postgresql93-libs-9.3.11-14.1 SUSE Linux Enterprise Server 12 (src): postgresql93-9.3.11-14.2 SUSE Linux Enterprise Desktop 12 (src): postgresql93-9.3.11-14.2
SUSE-SU-2016:0555-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 578053,966435,966436 CVE References: CVE-2007-4772,CVE-2016-0766,CVE-2016-0773 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): postgresql94-libs-9.4.6-7.1 SUSE Linux Enterprise Software Development Kit 12 (src): postgresql94-libs-9.4.6-7.1 SUSE Linux Enterprise Server 12-SP1 (src): postgresql94-9.4.6-7.2, postgresql94-libs-9.4.6-7.1 SUSE Linux Enterprise Server 12 (src): postgresql94-9.4.6-7.2, postgresql94-libs-9.4.6-7.1 SUSE Linux Enterprise Desktop 12-SP1 (src): postgresql94-9.4.6-7.2, postgresql94-libs-9.4.6-7.1 SUSE Linux Enterprise Desktop 12 (src): postgresql94-9.4.6-7.2, postgresql94-libs-9.4.6-7.1
openSUSE-SU-2016:0578-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 578053,966435,966436 CVE References: CVE-2007-4772,CVE-2016-0766,CVE-2016-0773 Sources used: openSUSE Leap 42.1 (src): postgresql94-9.4.6-4.1, postgresql94-libs-9.4.6-4.1
This is an autogenerated message for OBS integration: This bug (966436) was mentioned in https://build.opensuse.org/request/show/367653 Factory / postgresql93
SUSE-SU-2016:0677-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 949669,949670,966435,966436 CVE References: CVE-2007-4772,CVE-2015-5288,CVE-2015-5289,CVE-2016-0766,CVE-2016-0773 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): postgresql94-libs-9.4.6-0.14.3 SUSE Linux Enterprise Server 11-SP4 (src): postgresql94-9.4.6-0.14.3, postgresql94-libs-9.4.6-0.14.3 SUSE Linux Enterprise Desktop 11-SP4 (src): postgresql94-9.4.6-0.14.3, postgresql94-libs-9.4.6-0.14.3 SUSE Linux Enterprise Debuginfo 11-SP4 (src): postgresql94-9.4.6-0.14.3, postgresql94-libs-9.4.6-0.14.3
This is an autogenerated message for OBS integration: This bug (966436) was mentioned in https://build.opensuse.org/request/show/368148 Factory / postgresql94
I don't see an update for SLES11SP3 here: https://www.suse.com/security/cve/CVE-2016-0773.html Is there one in progress?
SLES11SP3 is covered by the SLE11SP1 update.
There are no 11SP1 nor 11SP3 links in this page: https://www.suse.com/security/cve/CVE-2016-0773.html
Indeed, I misread 12-SP1 as 11-SP1. Sorry for that. But anyway, as far as SLE11 goes, I submited the sources for PostgreSQL 9.4.6 only to SP1 and all later SPs of the respective releases should "inherit" the packages from there. Marcus, can you explain why this only got released for SLE11-SP4 and no older SPs?
SLES 11 SP3 has left regular maintenance and support on January 31st 2016. It has entered the 3 year LTSS phase on 2nd February. This update happened after that time, so it is no longer released to the general support and maintenance trees of SLES 11 SP3. We currently have no LTSS update planned, as the severity so far does not meet the LTSS release criteria. A PTF can be requested by LTSS customers via the regular support channels. -> issue seems done
*** Bug 978323 has been marked as a duplicate of this bug. ***