Updated postgresql packages fix security vulnerabilities
Publication date: 29 Nov 2017Modification date: 29 Nov 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-12172 , CVE-2017-15098 , CVE-2017-15099
Description
The startup log file for the postmaster (in newer releases, "postgres") process was opened while the process was still owned by root. With this setup, the database owner could specify a file that they did not have access to and cause the file to be corrupted with logged data (CVE-2017-12172). Crash due to rowtype mismatch in json{b}_populate_recordset(). These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well (CVE-2017-15098). The "INSERT ... ON CONFLICT DO UPDATE" would not check to see if the executing user had permission to perform a "SELECT" on the index performing the conflicting check. Additionally, in a table with row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE" would not check the SELECT policies for that table before performing the update (CVE-2017-15099).
References
- https://bugs.mageia.org/show_bug.cgi?id=22002
- https://www.postgresql.org/docs/9.3/static/release-9-3-20.html
- https://www.postgresql.org/docs/9.4/static/release-9-4-15.html
- https://www.postgresql.org/docs/9.6/static/release-9-6-6.html
- https://www.postgresql.org/about/news/1801/
- https://www.debian.org/security/2017/dsa-4028
- https://www.debian.org/security/2017/dsa-4027
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12172
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15098
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15099
SRPMS
5/core
- postgresql9.3-9.3.20-1.mga5
- postgresql9.4-9.4.15-1.mga5
6/core
- postgresql9.4-9.4.15-1.mga6
- postgresql9.6-9.6.6-1.mga6