Mageia alert MGASA-2017-0230 (postgresql9.4)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2017-0230: Updated postgresql9.4 packages fix security vulnerabilities 
Date:
    	     
 
Sun, 30 Jul 2017 17:59:25 +0200
Message-ID:
    	     
 
<20170730155925.D263F9F88B@duvel.mageia.org>
MGASA-2017-0230 - Updated postgresql9.4 packages fix security vulnerabilities

Publication date: 30 Jul 2017
URL: http://advisories.mageia.org/MGASA-2017-0230.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2017-7484,
     CVE-2017-7485,
     CVE-2017-7486

Description:
Robert Haas discovered that some selectivity estimators did not validate user
privileges which could result in information disclosure (CVE-2017-7484).

Daniel Gustafsson discovered that the PGREQUIRESSL environment variable did no
longer enforce a TLS connection (CVE-2017-7485).

Andrew Wheelwright discovered that user mappings were insufficiently restricted
(CVE-2017-7486).

References:
- https://bugs.mageia.org/show_bug.cgi?id=20842
- http://www.postgresql.org/docs/current/static/release-9-3...
- http://www.postgresql.org/docs/current/static/release-9-4...
- https://www.postgresql.org/about/news/1746/
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7484
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7485
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7486

SRPMS:
- 5/core/postgresql9.3-9.3.17-1.mga5
- 5/core/postgresql9.4-9.4.12-1.mga5