rh-postgresql94-postgresql-9.4.14-1.el7

エラータID: AXSA:2017-2241:02

リリース日: 
2017/09/15 Friday - 10:31
題名: 
rh-postgresql94-postgresql-9.4.14-1.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

The following packages have been upgraded to a later upstream version: rh-
postgresql94-postgresql (9.4.14). (BZ#1484635, BZ#1484638, BZ#1484644)

Security Fix(es):

* It was found that authenticating to a PostgreSQL database account with an
empty password was possible despite libpq's refusal to send an empty password. A
remote attacker could potentially use this flaw to gain access to database
accounts with empty passwords. (CVE-2017-7546)

* An authorization flaw was found in the way PostgreSQL handled access to the
pg_user_mappings view on foreign servers. A remote, authenticated attacker could
potentially use this flaw to retrieve passwords from the user mappings defined
by the foreign server owners without actually having the privileges to do so.
(CVE-2017-7547)

* An authorization flaw was found in the way PostgreSQL handled large objects.
A remote, authenticated attacker with no privileges on a large object could
potentially use this flaw to overwrite the entire content of the object, thus
resulting in denial of service. (CVE-2017-7548)

Asianux would like to thank the PostgreSQL project for reporting these issues.
Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as
the original reporters of CVE-2017-7546; Jeff Janes as the original reporter
of CVE-2017-7547; and Chapman Flack as the original reporter of CVE-2017-7548.

CVE-2017-7546
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are
vulnerable to incorrect authentication flaw allowing remote attackers
to gain access to database accounts with an empty password.
CVE-2017-7547
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are
vulnerable to authorization flaw allowing remote authenticated
attackers to retrieve passwords from the user mappings defined by the
foreign server owners without actually having the privileges to do so.
CVE-2017-7548
PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to
authorization flaw allowing remote authenticated attackers with no
privileges on a large object to overwrite the entire contents of the
object, resulting in a denial of service.

解決策: 

Update packages.

CVE: 
CVE-2017-7546
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
CVE-2017-7547
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
CVE-2017-7548
PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. rh-postgresql94-postgresql-9.4.14-1.el7.src.rpm
    MD5: ad9efd07ba790275e81ad3f8347a14b7
    SHA-256: 9082c5d342bb32347461c68af31f2131d33fac1aff9972d26fda7170925f7841
    Size: 24.46 MB

Asianux Server 7 for x86_64
  1. rh-postgresql94-postgresql-9.4.14-1.el7.x86_64.rpm
    MD5: a2e7033c30d5acefc6f6d8301a05308b
    SHA-256: 10afbba6c0412883c6d0f006c9af1c9da52e2d545854797469c04f8359ff04d8
    Size: 3.08 MB
  2. rh-postgresql94-postgresql-contrib-9.4.14-1.el7.x86_64.rpm
    MD5: 577c1fe81a27a724b2734972ef602214
    SHA-256: 5699d39607a4a1ace0f42ffcbe9a2eb16a7a446223133b7d79a23ee59d0e6dcc
    Size: 605.34 kB
  3. rh-postgresql94-postgresql-devel-9.4.14-1.el7.x86_64.rpm
    MD5: 1449fe939e0921256980ad2aebdfc2e1
    SHA-256: 8f7d4b94af4921ead8641e8d8d21af63fc3895695c1b3e7b15fabdde8d5b2ced
    Size: 1.00 MB
  4. rh-postgresql94-postgresql-docs-9.4.14-1.el7.x86_64.rpm
    MD5: be3fcfd7ecc1f6f103a2822864301672
    SHA-256: 3ddaca1aa8ee2e45676fc71181b4e7dd7816d7109e2b6fdefd840a0269238ee4
    Size: 9.77 MB
  5. rh-postgresql94-postgresql-libs-9.4.14-1.el7.x86_64.rpm
    MD5: 25bfbc3952f0a210f1038ebc71dd1a10
    SHA-256: bb301435d96fcfe0dc15d486e0497c0cb221eef7930b0e74d352ffcba2bbd67d
    Size: 237.39 kB
  6. rh-postgresql94-postgresql-plperl-9.4.14-1.el7.x86_64.rpm
    MD5: ce52803d212d6acc6626835ad5a3e26d
    SHA-256: 82ae514e2a804ddb48e18dd726ab9fb1faa02301304af9109255116eadf1461d
    Size: 83.23 kB
  7. rh-postgresql94-postgresql-plpython-9.4.14-1.el7.x86_64.rpm
    MD5: 3807f27cd93ebbd237ef312696f5a8ea
    SHA-256: dc535205286b8653c3db54c77c1ff45eb4fb7f806a94b2cd1c28228445707b6e
    Size: 96.28 kB
  8. rh-postgresql94-postgresql-pltcl-9.4.14-1.el7.x86_64.rpm
    MD5: 3a213d581e5fd383d54498594e0dee05
    SHA-256: 281e397ffcc091edd48b800f824a00d81e3911cb2e16e02143594fe079b35744
    Size: 60.50 kB
  9. rh-postgresql94-postgresql-server-9.4.14-1.el7.x86_64.rpm
    MD5: e9fbc3c8f16121eec04263bba6b01bd6
    SHA-256: 21fb948875a06e1715ed09119131f528eb2689c7b68e5eb20a0c8889da198cab
    Size: 4.04 MB
  10. rh-postgresql94-postgresql-test-9.4.14-1.el7.x86_64.rpm
    MD5: 10f5104d654977f0ea00103a65f9396e
    SHA-256: b7b23cff6dbaacac48bebd8599e5422b574ba192048d75554cb9a854c2e3ad40
    Size: 1.94 MB
  11. rh-postgresql94-postgresql-upgrade-9.4.14-1.el7.x86_64.rpm
    MD5: 8bcb2ff0da1d5ae33fade40c5d383058
    SHA-256: 32d93621dfb24eb4e841724b5cf7e83efb8f03bdedbe2e4dc090e27265383532
    Size: 84.35 kB