Описание
Security update for postgresql94
This update for postgresql94 to 9.4.12 fixes the following issues:
Upstream changelogs:
- https://www.postgresql.org/docs/9.4/static/release-9-4-12.html
- https://www.postgresql.org/docs/9.4/static/release-9-4-11.html
- https://www.postgresql.org/docs/9.4/static/release-9-4-10.html
Security issues fixed:
-
CVE-2017-7486: Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1037624)
Please note that manual action is needed to fix this in existing databases See the upstream release notes for details.
-
CVE-2017-7485: recognize PGREQUIRESSL variable again. (bsc#1038293)
-
CVE-2017-7484: Prevent exposure of statistical information via leaky operators. (bsc#1037603)
Changes in version 9.4.12:
- Build corruption with CREATE INDEX CONCURRENTLY
- Fixes for visibility and write-ahead-log stability
Changes in version 9.4.10:
- Fix WAL-logging of truncation of relation free space maps and visibility maps
- Fix incorrect creation of GIN index WAL records on big-endian machines
- Fix SELECT FOR UPDATE/SHARE to correctly lock tuples that have been updated by a subsequently-aborted transaction
- Fix EvalPlanQual rechecks involving CTE scans
- Fix improper repetition of previous results from hashed aggregation in a subquery
The libraries libpq and libecpg are now supplied by postgresql 9.6.
This update was imported from the SUSE:SLE-12:Update update project.
Список пакетов
openSUSE Leap 42.2
Ссылки
- E-Mail link for openSUSE-SU-2017:1772-1
- SUSE Security Ratings
Описание
It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
Затронутые продукты
Ссылки
- CVE-2017-7484
- SUSE Bug 1037603
- SUSE Bug 1051015
Описание
In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.
Затронутые продукты
Ссылки
- CVE-2017-7485
- SUSE Bug 1038293
- SUSE Bug 1051015
Описание
PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server.
Затронутые продукты
Ссылки
- CVE-2017-7486
- SUSE Bug 1037624
- SUSE Bug 1051015
- SUSE Bug 1051685