Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2017:1783-1

Опубликовано: 05 июл. 2017
Источник: suse-cvrf

Описание

Security update for postgresql94

This update for postgresql93 fixes the following issues:

  • bsc#1029547: Fix tests with timezone 2017a
  • CVE-2017-7486: Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1037624)
  • CVE-2017-7485: Recognize PGREQUIRESSL variable again. (bsc#1038293)
  • CVE-2017-7484: Prevent exposure of statistical information via leaky operators. (bsc#1037603)

Список пакетов

SUSE Linux Enterprise Server 11 SP4
libecpg6-9.4.12-0.22.3
libpq5-9.4.12-0.22.3
libpq5-32bit-9.4.12-0.22.3
postgresql94-9.4.12-0.22.3
postgresql94-contrib-9.4.12-0.22.3
postgresql94-docs-9.4.12-0.22.3
postgresql94-server-9.4.12-0.22.3
SUSE Linux Enterprise Server for SAP Applications 11 SP4
libecpg6-9.4.12-0.22.3
libpq5-9.4.12-0.22.3
libpq5-32bit-9.4.12-0.22.3
postgresql94-9.4.12-0.22.3
postgresql94-contrib-9.4.12-0.22.3
postgresql94-docs-9.4.12-0.22.3
postgresql94-server-9.4.12-0.22.3
SUSE Linux Enterprise Software Development Kit 11 SP4
postgresql94-devel-9.4.12-0.22.3

Ссылки

Описание

It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.

Затронутые продукты
SUSE Linux Enterprise Server 11 SP4:libecpg6-9.4.12-0.22.3
SUSE Linux Enterprise Server 11 SP4:libpq5-32bit-9.4.12-0.22.3
SUSE Linux Enterprise Server 11 SP4:libpq5-9.4.12-0.22.3
SUSE Linux Enterprise Server 11 SP4:postgresql94-9.4.12-0.22.3
Ссылки

Описание

In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.

Затронутые продукты
SUSE Linux Enterprise Server 11 SP4:libecpg6-9.4.12-0.22.3
SUSE Linux Enterprise Server 11 SP4:libpq5-32bit-9.4.12-0.22.3
SUSE Linux Enterprise Server 11 SP4:libpq5-9.4.12-0.22.3
SUSE Linux Enterprise Server 11 SP4:postgresql94-9.4.12-0.22.3
Ссылки

Описание

PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server.

Затронутые продукты
SUSE Linux Enterprise Server 11 SP4:libecpg6-9.4.12-0.22.3
SUSE Linux Enterprise Server 11 SP4:libpq5-32bit-9.4.12-0.22.3
SUSE Linux Enterprise Server 11 SP4:libpq5-9.4.12-0.22.3
SUSE Linux Enterprise Server 11 SP4:postgresql94-9.4.12-0.22.3
Ссылки
Уязвимость SUSE-SU-2017:1783-1