Name | CVE-2016-5424 |
Description | PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-592-1, DSA-3646-1 |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
postgresql-9.1 | source | wheezy | 9.1.23-0+deb7u1 | DLA-592-1 | ||
postgresql-9.1 | source | jessie | (not affected) | |||
postgresql-9.1 | source | (unstable) | (unfixed) | |||
postgresql-9.4 | source | jessie | 9.4.9-0+deb8u1 | DSA-3646-1 | ||
postgresql-9.4 | source | (unstable) | (unfixed) | |||
postgresql-9.5 | source | (unstable) | 9.5.4-1 |
[jessie] - postgresql-9.1 <not-affected> (postgresql-9.1 in jessie only provides PL/Perl)
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=fcd15f13581f6d75c63d213220d5a94889206c1b
https://www.postgresql.org/about/news/1688/