|
|
Log in / Subscribe / Register

Mageia alert MGASA-2017-0316 (postgresql9.3/4/6)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2017-0316: Updated postgresql9.3/4/6 packages fix security vulnerabilities 


Date:
    	      Mon, 28 Aug 2017 10:15:15 +0200


Message-ID:
    	      <20170828081515.203649F871@duvel.mageia.org>


MGASA-2017-0316 - Updated postgresql9.3/4/6 packages fix security vulnerabilities

Publication date: 28 Aug 2017
URL: http://advisories.mageia.org/MGASA-2017-0316.html
Type: security
Affected Mageia releases: 5, 6
CVE: CVE-2017-7546,
     CVE-2017-7547,
     CVE-2017-7548

Description:
libpq, and by extension any connection driver that utilizes libpq,
ignores empty passwords and does not transmit them to the server. When
using libpq or a libpq-based connection driver to perform password-based
authentication methods, it would appear that setting an empty password
would be the equivalent of disabling password login. However, using a
non-libpq based connection driver could allow a client with an empty
password to log in (CVE-2017-7546).

A user had access to see the options in pg_user_mappings even if the
user did not have the USAGE permission on the associated foreign server.
This meant that a user could see details such as a password that might
have been set by the server administrator rather than the user
(CVE-2017-7547).

The lo_put() function should require the same permissions as lowrite(),
but there was a missing permission check which would allow any user to
change the data in a large object (CVE-2017-7548).

Note: the CVE-2017-7547 issue requires manual intervention to fix on
affected systems.  See the references for details.

References:
- https://bugs.mageia.org/show_bug.cgi?id=21496
- http://www.postgresql.org/docs/current/static/release-9-3...
- http://www.postgresql.org/docs/current/static/release-9-4...
- https://www.postgresql.org/docs/current/static/release-9-...
- https://www.postgresql.org/about/news/1772/
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7546
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7547
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7548

SRPMS:
- 6/core/postgresql9.4-9.4.13-1.mga6
- 6/core/postgresql9.6-9.6.4-1.mga6
- 5/core/postgresql9.3-9.3.18-1.mga5
- 5/core/postgresql9.4-9.4.13-1.mga5
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds