Updated postgresql packages fix security vulnerabilities
Publication date: 29 Nov 2017Modification date: 29 Nov 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-12172 , CVE-2017-15098 , CVE-2017-15099
Description
The startup log file for the postmaster (in newer releases, "postgres")
process was opened while the process was still owned by root. With this
setup, the database owner could specify a file that they did not have
access to and cause the file to be corrupted with logged data
(CVE-2017-12172).
Crash due to rowtype mismatch in json{b}_populate_recordset(). These
functions used the result rowtype specified in the FROM ... AS clause
without checking that it matched the actual rowtype of the supplied
tuple value. If it didn't, that would usually result in a crash, though
disclosure of server memory contents seems possible as well
(CVE-2017-15098).
The "INSERT ... ON CONFLICT DO UPDATE" would not check to see if the
executing user had permission to perform a "SELECT" on the index
performing the conflicting check. Additionally, in a table with
row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE" would
not check the SELECT policies for that table before performing the
update (CVE-2017-15099).
References
- https://bugs.mageia.org/show_bug.cgi?id=22002
- https://www.postgresql.org/docs/9.3/static/release-9-3-20.html
- https://www.postgresql.org/docs/9.4/static/release-9-4-15.html
- https://www.postgresql.org/docs/9.6/static/release-9-6-6.html
- https://www.postgresql.org/about/news/1801/
- https://www.debian.org/security/2017/dsa-4028
- https://www.debian.org/security/2017/dsa-4027
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12172
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15098
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15099
SRPMS
5/core
- postgresql9.3-9.3.20-1.mga5
- postgresql9.4-9.4.15-1.mga5
6/core
- postgresql9.4-9.4.15-1.mga6
- postgresql9.6-9.6.6-1.mga6