ArchLinux: 201709-2: postgresql: multiple issues
Summary
- CVE-2017-7546 (authentication bypass)
It was found that authenticating to a PostgreSQL database account with
an empty password was possible despite libpq's refusal to send an empty
password. A remote attacker could potentially use this flaw to gain
access to database accounts with empty passwords.
- CVE-2017-7547 (information disclosure)
An authorization flaw was found in the way PostgreSQL handled access to
the pg_user_mappings view on foreign servers. A remote authenticated
attacker could potentially use this flaw to retrieve passwords from the
user mappings defined by the foreign server owners without actually
having the privileges to do so.
- CVE-2017-7548 (access restriction bypass)
An authorization flaw was found in the way PostgreSQL handled large
objects. A remote authenticated attacker with no privileges on a large
object could potentially use this flaw to overwrite the entire content
of the object, thus resulting in denial of service.
Resolution
Upgrade to 9.6.4-1.
# pacman -Syu "postgresql>=9.6.4-1"
The problems have been fixed upstream in version 9.6.4.
References
https://www.postgresql.org/about/news/2017-08-10-security-update-release-1772/ https://github.com/postgres/postgres/commit/d5d46d99ba47f https://github.com/postgres/postgres/commit/b6e39ca92eeee4 https://github.com/postgres/postgres/commit/f1cda6d6cbb2 https://security.archlinux.org/CVE-2017-7546 https://security.archlinux.org/CVE-2017-7547 https://security.archlinux.org/CVE-2017-7548
Workaround
None.