| Name | CVE-2015-3167 |
| Description | contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-227-1, DSA-3269-1, DSA-3270-1 |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| postgresql-8.4 | source | squeeze | 8.4.22lts2-0+deb6u2 | DLA-227-1 | ||
| postgresql-8.4 | source | wheezy | (not affected) | |||
| postgresql-8.4 | source | (unstable) | (unfixed) | |||
| postgresql-9.1 | source | wheezy | 9.1.16-0+deb7u1 | DSA-3269-1 | ||
| postgresql-9.1 | source | jessie | 9.1.16-0+deb8u1 | DSA-3269-1 | ||
| postgresql-9.1 | source | (unstable) | (unfixed) | |||
| postgresql-9.4 | source | jessie | 9.4.2-0+deb8u1 | DSA-3270-1 | ||
| postgresql-9.4 | source | (unstable) | 9.4.2-1 |
Since 9.1.1-2 src:postgresql-9.1 builds only postgresql-plperl-9.1, source-wise fixed
[wheezy] - postgresql-8.4 <not-affected> (postgresql-8.4 in wheezy only provides PL/Perl; EOL upstream)