| Name | CVE-2014-0063 |
| Description | Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065. |
| Source | CVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more) |
| References | DSA-2864-1, DSA-2865-1 |
| NVD severity | medium (attack range: remote) |
| Debian/oldstable | not vulnerable. |
| Debian/stable | not vulnerable. |
| Debian/testing | not vulnerable. |
| Debian/unstable | not vulnerable. |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| postgresql-8.4 (PTS) | squeeze | 8.4.21-0squeeze1 | fixed |
| squeeze (security) | 8.4.20-0squeeze1 | fixed | |
| squeeze (lts) | 8.4.22lts1-0+deb6u1 | fixed | |
| wheezy | 8.4.22-0+deb7u1 | fixed | |
| postgresql-9.1 (PTS) | wheezy | 9.1.14-0+deb7u1 | fixed |
| wheezy (security) | 9.1.15-0+deb7u1 | fixed | |
| jessie, sid | 9.1.15-0+deb8u1 | fixed |
The information above is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| postgresql-8.4 | source | (unstable) | (unfixed) | medium | ||
| postgresql-8.4 | source | squeeze | 8.4.20-0squeeze1 | medium | DSA-2864-1 | |
| postgresql-8.4 | source | wheezy | (not affected) | |||
| postgresql-9.1 | source | (unstable) | 9.1.11-2 | medium | ||
| postgresql-9.1 | source | wheezy | 9.1.12-0wheezy1 | medium | DSA-2865-1 | |
| postgresql-9.3 | source | (unstable) | 9.3.3-1 | medium |
[wheezy] - postgresql-8.4 <not-affected> (postgresql-8.4 in wheezy only provides PL/Perl)