ArchLinux: 201711-18: postgresql-old-upgrade: multiple issues
Summary
- CVE-2017-15098 (information disclosure)
A denial of service and potential memory disclosure vulnerability has
been discovered in PostgreSQL in the json_populate_recordset() and
jsonb_populate_recordset() functions.
- CVE-2017-15099 (access restriction bypass)
An access restriction bypass vulnerability has been discovered in
PostgreSQL, the "INSERT ... ON CONFLICT DO UPDATE" would not check to
see if the executing user had permission to perform a "SELECT" on the
index performing the conflicting check. Additionally, in a table with
row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE"
would not check the SELECT policies for that table before performing
the update.
The fix ensures that "INSERT ... ON CONFLICT DO UPDATE" checks against
table permissions and RLS policies before executing.
Resolution
Upgrade to 9.6.6-1.
# pacman -Syu "postgresql-old-upgrade>=9.6.6-1"
The problems have been fixed upstream in version 9.6.6.
References
https://www.postgresql.org/about/news/postgresql-101-966-9510-9415-9320-and-9224-released-1801/ https://security.archlinux.org/CVE-2017-15098 https://security.archlinux.org/CVE-2017-15099
Workaround
None.