Advisories ยป MGASA-2017-0316

Updated postgresql9.3/4/6 packages fix security vulnerabilities

Publication date: 28 Aug 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-7546 , CVE-2017-7547 , CVE-2017-7548


libpq, and by extension any connection driver that utilizes libpq,
ignores empty passwords and does not transmit them to the server. When
using libpq or a libpq-based connection driver to perform password-based
authentication methods, it would appear that setting an empty password
would be the equivalent of disabling password login. However, using a
non-libpq based connection driver could allow a client with an empty
password to log in (CVE-2017-7546).

A user had access to see the options in pg_user_mappings even if the
user did not have the USAGE permission on the associated foreign server.
This meant that a user could see details such as a password that might
have been set by the server administrator rather than the user

The lo_put() function should require the same permissions as lowrite(),
but there was a missing permission check which would allow any user to
change the data in a large object (CVE-2017-7548).

Note: the CVE-2017-7547 issue requires manual intervention to fix on
affected systems.  See the references for details.