SB2015070725 - Amazon Linux AMI update for postgresql8

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2015-3165)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence. <a href="http://cwe.mitre.org/data/definitions/415.html">CWE-415: Double Free</a>

2) Buffer overflow (CVE-ID: CVE-2015-3166)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as demonstrated by an out-of-memory error.

3) Information disclosure (CVE-ID: CVE-2015-3167)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.

Remediation

Install update from vendor's website.

References

• https://alas.aws.amazon.com/ALAS-2015-556.html