Updated postgresql9.3/4/6 packages fix security vulnerabilities
Publication date: 28 Aug 2017Modification date: 28 Aug 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-7546 , CVE-2017-7547 , CVE-2017-7548
Description
libpq, and by extension any connection driver that utilizes libpq, ignores empty passwords and does not transmit them to the server. When using libpq or a libpq-based connection driver to perform password-based authentication methods, it would appear that setting an empty password would be the equivalent of disabling password login. However, using a non-libpq based connection driver could allow a client with an empty password to log in (CVE-2017-7546). A user had access to see the options in pg_user_mappings even if the user did not have the USAGE permission on the associated foreign server. This meant that a user could see details such as a password that might have been set by the server administrator rather than the user (CVE-2017-7547). The lo_put() function should require the same permissions as lowrite(), but there was a missing permission check which would allow any user to change the data in a large object (CVE-2017-7548). Note: the CVE-2017-7547 issue requires manual intervention to fix on affected systems. See the references for details.
References
- https://bugs.mageia.org/show_bug.cgi?id=21496
- http://www.postgresql.org/docs/current/static/release-9-3-18.html
- http://www.postgresql.org/docs/current/static/release-9-4-13.html
- https://www.postgresql.org/docs/current/static/release-9-6-4.html
- https://www.postgresql.org/about/news/1772/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7546
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7547
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7548
SRPMS
5/core
- postgresql9.3-9.3.18-1.mga5
- postgresql9.4-9.4.13-1.mga5
6/core
- postgresql9.4-9.4.13-1.mga6
- postgresql9.6-9.6.4-1.mga6