MGASA-2017-0316

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2017-0316.html

Import Source

https://advisories.mageia.org/MGASA-2017-0316.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2017-0316

Related

Published

2017-08-28T08:14:39Z

Modified

2017-08-28T07:55:45Z

Summary

Updated postgresql9.3/4/6 packages fix security vulnerabilities

Details

libpq, and by extension any connection driver that utilizes libpq, ignores empty passwords and does not transmit them to the server. When using libpq or a libpq-based connection driver to perform password-based authentication methods, it would appear that setting an empty password would be the equivalent of disabling password login. However, using a non-libpq based connection driver could allow a client with an empty password to log in (CVE-2017-7546).

A user had access to see the options in pgusermappings even if the user did not have the USAGE permission on the associated foreign server. This meant that a user could see details such as a password that might have been set by the server administrator rather than the user (CVE-2017-7547).

The lo_put() function should require the same permissions as lowrite(), but there was a missing permission check which would allow any user to change the data in a large object (CVE-2017-7548).

Note: the CVE-2017-7547 issue requires manual intervention to fix on affected systems. See the references for details.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / postgresql9.3

Package

Name: postgresql9.3
Purl: pkg:rpm/mageia/postgresql9.3?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.3.18-1.mga5

Ecosystem specific

{
    "section": "core"
}

Mageia:5 / postgresql9.4

Package

Name: postgresql9.4
Purl: pkg:rpm/mageia/postgresql9.4?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.13-1.mga5

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / postgresql9.4

Package

Name: postgresql9.4
Purl: pkg:rpm/mageia/postgresql9.4?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.13-1.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / postgresql9.6

Package

Name: postgresql9.6
Purl: pkg:rpm/mageia/postgresql9.6?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.6.4-1.mga6

Ecosystem specific

{
    "section": "core"
}