rh-postgresql95-postgresql-9.5.9-1.AXS4

エラータID: AXSA:2017-2280:02

リリース日: 
2017/09/22 Friday - 11:25
題名: 
rh-postgresql95-postgresql-9.5.9-1.AXS4
影響のあるチャネル: 
Asianux Server 4 for x86_64
Severity: 
Moderate
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

The following packages have been upgraded to a later upstream version: rh-
postgresql95-postgresql (9.5.9). (BZ#1484637, BZ#1484642, BZ#1484648)

Security Fix(es):

* It was found that authenticating to a PostgreSQL database account with an
empty password was possible despite libpq's refusal to send an empty password. A
remote attacker could potentially use this flaw to gain access to database
accounts with empty passwords. (CVE-2017-7546)

* An authorization flaw was found in the way PostgreSQL handled access to the
pg_user_mappings view on foreign servers. A remote, authenticated attacker could
potentially use this flaw to retrieve passwords from the user mappings defined
by the foreign server owners without actually having the privileges to do so.
(CVE-2017-7547)

* An authorization flaw was found in the way PostgreSQL handled large objects.
A remote, authenticated attacker with no privileges on a large object could
potentially use this flaw to overwrite the entire content of the object, thus
resulting in denial of service. (CVE-2017-7548)

Asianux would like to thank the PostgreSQL project for reporting these issues.
Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as
the original reporters of CVE-2017-7546; Jeff Janes as the original reporter
of CVE-2017-7547; and Chapman Flack as the original reporter of CVE-2017-7548.

CVE-2017-7546
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are
vulnerable to incorrect authentication flaw allowing remote attackers
to gain access to database accounts with an empty password.
CVE-2017-7547
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are
vulnerable to authorization flaw allowing remote authenticated
attackers to retrieve passwords from the user mappings defined by the
foreign server owners without actually having the privileges to do so.
CVE-2017-7548
PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to
authorization flaw allowing remote authenticated attackers with no
privileges on a large object to overwrite the entire contents of the
object, resulting in a denial of service.

解決策: 

Update packages.

CVE: 
CVE-2017-7546
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
CVE-2017-7547
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
CVE-2017-7548
PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. rh-postgresql95-postgresql-9.5.9-1.AXS4.src.rpm
    MD5: 7be40ad7ce65cb28b4683c0a61d2c0cb
    SHA-256: f0358ea8e11e62671fa20c4d4068b3e8e2b0b70ddcc3bbfe1369c6b9a4bcfff1
    Size: 25.75 MB

Asianux Server 4 for x86_64
  1. rh-postgresql95-postgresql-9.5.9-1.AXS4.x86_64.rpm
    MD5: be6c1b82c64ec5f6a65f02a20bcd290b
    SHA-256: 645a26d03e7d7c185bfca3df2366787210181ab0e0c105c92422d9531591c621
    Size: 3.43 MB
  2. rh-postgresql95-postgresql-contrib-9.5.9-1.AXS4.x86_64.rpm
    MD5: b6e8d748eade230e01688977ba7e54a8
    SHA-256: 59153af5a6e00956d9f1de251332d6c0dd1a36b1a80dc2e2492e19edcb0c9323
    Size: 554.46 kB
  3. rh-postgresql95-postgresql-devel-9.5.9-1.AXS4.x86_64.rpm
    MD5: 99cb14d3c0bd45d4ed1eaf8ec085ab0b
    SHA-256: abeecb6143eff8568080ea395d3791fb89ffd601f380414a87b9be888bd911a7
    Size: 1.12 MB
  4. rh-postgresql95-postgresql-docs-9.5.9-1.AXS4.x86_64.rpm
    MD5: 04b6d97510821e8f07b19c079354f07e
    SHA-256: ebe6c7899f9669d9a3d9b6a2efc2c0979a645c7e9fba6b715e3715d8282184ff
    Size: 10.36 MB
  5. rh-postgresql95-postgresql-libs-9.5.9-1.AXS4.x86_64.rpm
    MD5: a378bf0dba3b94b17d23b91d72bc0eea
    SHA-256: 47d26eba877de08d5eb7b1c593aef942f504fbccd3a0f4c61e0a01110c4f99c7
    Size: 233.66 kB
  6. rh-postgresql95-postgresql-plperl-9.5.9-1.AXS4.x86_64.rpm
    MD5: 5064e2422b0c8841836a5ac55ca4c277
    SHA-256: bf6f0346c68cd13840fc20a199cb18e48a39a47f3f1dcf9ab90cfe3cbff8261b
    Size: 84.51 kB
  7. rh-postgresql95-postgresql-plpython-9.5.9-1.AXS4.x86_64.rpm
    MD5: 28f85a14b2c8899920200a38af228efe
    SHA-256: 652389c1b5e0b162388258d3d38a280dbff5f0abb62fb322e2923617570b67ad
    Size: 97.08 kB
  8. rh-postgresql95-postgresql-pltcl-9.5.9-1.AXS4.x86_64.rpm
    MD5: 086d42d44a44a3a5def07f75b817f7a3
    SHA-256: e9608e64fa067d12d643e526879f4682d3ac59245c63b306dbb4566834c56544
    Size: 62.08 kB
  9. rh-postgresql95-postgresql-server-9.5.9-1.AXS4.x86_64.rpm
    MD5: a7baec9d055b7d93e5df952288bf6846
    SHA-256: 513c0db66a390c81ceaf79b85f348ed2450b5ea4f1a1dec1c60cc84ff8529974
    Size: 4.81 MB
  10. rh-postgresql95-postgresql-static-9.5.9-1.AXS4.x86_64.rpm
    MD5: bf8e14807366eeffa2c81b6ecc7cbb03
    SHA-256: 97a952ad6aa01189f885563ac86ceac8492f052216d2174e1633c5c787ede8c5
    Size: 120.38 kB
  11. rh-postgresql95-postgresql-test-9.5.9-1.AXS4.x86_64.rpm
    MD5: e33f980f198ff90e1a0a54c2cc0cc41f
    SHA-256: fe1f2f44f845133dc9b09e3635ac293550413948f61f50bbcaeb71e53e2c6d52
    Size: 1.47 MB