ArchLinux: 201705-24: postgresql-libs: man-in-the-middle
Summary
A security issue has been found in the libpq component of PostgreSQL < 9.6.3, where the PGREQUIRESSL was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.
Resolution
Upgrade to 9.6.3-1.
# pacman -Syu "postgresql-libs>=9.6.3-1"
The problem has been fixed upstream in version 9.6.3.
References
https://www.postgresql.org/about/news/1746/ https://security.archlinux.org/CVE-2017-7485
Workaround
None.