rh-postgresql95-postgresql-9.5.9-1.el7

エラータID: AXSA:2017-2240:02

リリース日: 
2017/09/15 Friday - 10:08
題名: 
rh-postgresql95-postgresql-9.5.9-1.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

The following packages have been upgraded to a later upstream version: rh-
postgresql95-postgresql (9.5.9). (BZ#1484637, BZ#1484642, BZ#1484648)

Security Fix(es):

* It was found that authenticating to a PostgreSQL database account with an
empty password was possible despite libpq's refusal to send an empty password. A
remote attacker could potentially use this flaw to gain access to database
accounts with empty passwords. (CVE-2017-7546)

* An authorization flaw was found in the way PostgreSQL handled access to the
pg_user_mappings view on foreign servers. A remote, authenticated attacker could
potentially use this flaw to retrieve passwords from the user mappings defined
by the foreign server owners without actually having the privileges to do so.
(CVE-2017-7547)

* An authorization flaw was found in the way PostgreSQL handled large objects.
A remote, authenticated attacker with no privileges on a large object could
potentially use this flaw to overwrite the entire content of the object, thus
resulting in denial of service. (CVE-2017-7548)

Asianux would like to thank the PostgreSQL project for reporting these issues.
Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as
the original reporters of CVE-2017-7546; Jeff Janes as the original reporter
of CVE-2017-7547; and Chapman Flack as the original reporter of CVE-2017-7548.

CVE-2017-7546
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are
vulnerable to incorrect authentication flaw allowing remote attackers
to gain access to database accounts with an empty password.
CVE-2017-7547
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are
vulnerable to authorization flaw allowing remote authenticated
attackers to retrieve passwords from the user mappings defined by the
foreign server owners without actually having the privileges to do so.
CVE-2017-7548
PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to
authorization flaw allowing remote authenticated attackers with no
privileges on a large object to overwrite the entire contents of the
object, resulting in a denial of service.

解決策: 

Update packages.

CVE: 
CVE-2017-7546
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
CVE-2017-7547
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
CVE-2017-7548
PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. rh-postgresql95-postgresql-9.5.9-1.el7.src.rpm
    MD5: 07012f82fa4e4571ad62ffdde1a4ed95
    SHA-256: 0fbae59efa7038bd21d45ae476565c1738be250e533a549306304387029a51dd
    Size: 25.75 MB

Asianux Server 7 for x86_64
  1. rh-postgresql95-postgresql-9.5.9-1.el7.x86_64.rpm
    MD5: 30ce274cbc5b76a11d7927e1282afe50
    SHA-256: 27cb6ebce238f55aee0df52c47d454a0b63e1059c214e48ca0e33aeef2fbe42e
    Size: 3.30 MB
  2. rh-postgresql95-postgresql-contrib-9.5.9-1.el7.x86_64.rpm
    MD5: c4a8302d396dbab47c9be62ff81e2bd5
    SHA-256: 7907b01774664346e11d9c3eaa0c44fcb84ad92e73072f6bc7eeeacf773f15f4
    Size: 638.10 kB
  3. rh-postgresql95-postgresql-devel-9.5.9-1.el7.x86_64.rpm
    MD5: 302c4933aa7b2dadcbb8fe6496bb06d6
    SHA-256: a617efa115811c03190cca4b36fc3ad3817b7600fccef4ccbff217c63adcd547
    Size: 1.10 MB
  4. rh-postgresql95-postgresql-docs-9.5.9-1.el7.x86_64.rpm
    MD5: f045a0c39ecb82f560fd5450a1f13609
    SHA-256: a2d92f33ca6f0f7f0fefdc6233df8ed4965cc73611085503d2508964e1c90f7e
    Size: 10.23 MB
  5. rh-postgresql95-postgresql-libs-9.5.9-1.el7.x86_64.rpm
    MD5: 9a7628e068453ed43d9863f321bee171
    SHA-256: 7d4c4e49546974ac355f25a355e47322ff92c1cf36f7b06f122043215d71fd8b
    Size: 245.87 kB
  6. rh-postgresql95-postgresql-plperl-9.5.9-1.el7.x86_64.rpm
    MD5: aa8279a1a1b50aa9b45d8d16ba9c7d29
    SHA-256: b6b660b9c43e1e941d23ee9fe34f47ed4298b0ae052639dc5867f63813058340
    Size: 86.87 kB
  7. rh-postgresql95-postgresql-plpython-9.5.9-1.el7.x86_64.rpm
    MD5: 91f8bf0c50e2cd0f8fe19246e00e2096
    SHA-256: 4065be34df3719753249852d3e01d7242fa77279e09b554b47b378a6363cc7fc
    Size: 99.57 kB
  8. rh-postgresql95-postgresql-pltcl-9.5.9-1.el7.x86_64.rpm
    MD5: 153bd3d40a254d994014f91a8cc7a416
    SHA-256: 3dd8849a514c5611a449420d6f8d8c98f7bccbe0ae47b5a4e06239f13d5d62f6
    Size: 63.80 kB
  9. rh-postgresql95-postgresql-server-9.5.9-1.el7.x86_64.rpm
    MD5: 2b71e062f3e33f51f982559ce504017f
    SHA-256: 0dc9439dc3e713ee7b17302d09c0a604b47e9e9ab354cad247d3be2a21d0bb80
    Size: 4.31 MB
  10. rh-postgresql95-postgresql-static-9.5.9-1.el7.x86_64.rpm
    MD5: f791aa72b2ffea855813bd91a2b3f751
    SHA-256: 773abf4901593d0c0b8684149264133c2d2291e27acdfda7bbd3a0f43ccae8ff
    Size: 130.93 kB
  11. rh-postgresql95-postgresql-test-9.5.9-1.el7.x86_64.rpm
    MD5: 302b185aef7222ad1145891708f7ff23
    SHA-256: 5e5097019bc2e4c476583ab4f93fce8d63458fe433e0ee065a2053bf105e4bfd
    Size: 1.45 MB