ArchLinux: 201705-23: postgresql: information disclosure
Summary
- CVE-2017-7484 (information disclosure)
A security issue has been found in PostgreSQL < 9.6.3, where some
selectivity estimation functions did not check user privileges before
providing information from pg_statistic, possibly leaking information.
An unprivileged attacker could use this flaw to steal some information
from tables they are otherwise not allowed to access.
- CVE-2017-7486 (information disclosure)
A security issue has been found in PostgreSQL < 9.6.3, where the
pg_user_mappings view disclosed user mapping options to any user having
USAGE privilege on the associated foreign server, including the
password. An attacker could then use the password to run arbitrary
queries against the server or others accepting the same credentials,
not just the limited queries one can issue via foreign tables.
Resolution
Upgrade to 9.6.3-1.
# pacman -Syu "postgresql>=9.6.3-1"
The problems have been fixed upstream in version 9.6.3.
References
https://www.postgresql.org/about/news/1746/ https://security.archlinux.org/CVE-2017-7484 https://security.archlinux.org/CVE-2017-7486
Workaround
None.