Wind River Support Network

HomeDefectsLIN6-9978
Fixed

LIN6-9978 : Security Advisory - postgresql - CVE-2015-3167

Created: Jun 9, 2015    Updated: Dec 3, 2018
Resolved Date: Jul 8, 2015
Previous ID: LIN4-32716
Found In Version: 6.0.0.20
Fix Version: 6.0.0.23
Severity: Standard
Applicable for: Wind River Linux 6
Component/s: Userspace

Description

The PostgreSQL project reports the following issue:

pgcrypto functions usually reported "Wrong key or corrupt data" upon decrypting with an incorrect key, but several other messages were possible when the errant decryption output resembled an OpenPGP packet header. Error message variance in other systems has enabled cryptologic attacks; see RFC 4880 section "14. Security Considerations". Whether these pgcrypto behaviors are likewise exploitable is unknown.

This flaw is fixed in upstream versions 9.4.2, 9.3.7, 9.2.11, 9.1.16, and 9.0.20 of PostgreSQL.

Acknowledgements:

Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Noah Misch as the original reporter.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3167

Other Downloads


Live chat
Online