CVE-2016-5424

NameCVE-2016-5424
DescriptionPostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-592-1, DSA-3646-1

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
postgresql-9.1sourcewheezy9.1.23-0+deb7u1DLA-592-1
postgresql-9.1sourcejessie(not affected)
postgresql-9.1source(unstable)(unfixed)
postgresql-9.4sourcejessie9.4.9-0+deb8u1DSA-3646-1
postgresql-9.4source(unstable)(unfixed)
postgresql-9.5source(unstable)9.5.4-1

Notes

[jessie] - postgresql-9.1 <not-affected> (postgresql-9.1 in jessie only provides PL/Perl)
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=fcd15f13581f6d75c63d213220d5a94889206c1b
https://www.postgresql.org/about/news/1688/

Search for package or bug name: Reporting problems