rh-postgresql95-postgresql-9.5.9-1.AXS4
エラータID: AXSA:2017-2280:02
PostgreSQL is an advanced object-relational database management system (DBMS).
The following packages have been upgraded to a later upstream version: rh-
postgresql95-postgresql (9.5.9). (BZ#1484637, BZ#1484642, BZ#1484648)
Security Fix(es):
* It was found that authenticating to a PostgreSQL database account with an
empty password was possible despite libpq's refusal to send an empty password. A
remote attacker could potentially use this flaw to gain access to database
accounts with empty passwords. (CVE-2017-7546)
* An authorization flaw was found in the way PostgreSQL handled access to the
pg_user_mappings view on foreign servers. A remote, authenticated attacker could
potentially use this flaw to retrieve passwords from the user mappings defined
by the foreign server owners without actually having the privileges to do so.
(CVE-2017-7547)
* An authorization flaw was found in the way PostgreSQL handled large objects.
A remote, authenticated attacker with no privileges on a large object could
potentially use this flaw to overwrite the entire content of the object, thus
resulting in denial of service. (CVE-2017-7548)
Asianux would like to thank the PostgreSQL project for reporting these issues.
Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as
the original reporters of CVE-2017-7546; Jeff Janes as the original reporter
of CVE-2017-7547; and Chapman Flack as the original reporter of CVE-2017-7548.
CVE-2017-7546
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are
vulnerable to incorrect authentication flaw allowing remote attackers
to gain access to database accounts with an empty password.
CVE-2017-7547
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are
vulnerable to authorization flaw allowing remote authenticated
attackers to retrieve passwords from the user mappings defined by the
foreign server owners without actually having the privileges to do so.
CVE-2017-7548
PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to
authorization flaw allowing remote authenticated attackers with no
privileges on a large object to overwrite the entire contents of the
object, resulting in a denial of service.
Update packages.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service.
N/A
SRPMS
- rh-postgresql95-postgresql-9.5.9-1.AXS4.src.rpm
MD5: 7be40ad7ce65cb28b4683c0a61d2c0cb
SHA-256: f0358ea8e11e62671fa20c4d4068b3e8e2b0b70ddcc3bbfe1369c6b9a4bcfff1
Size: 25.75 MB
Asianux Server 4 for x86_64
- rh-postgresql95-postgresql-9.5.9-1.AXS4.x86_64.rpm
MD5: be6c1b82c64ec5f6a65f02a20bcd290b
SHA-256: 645a26d03e7d7c185bfca3df2366787210181ab0e0c105c92422d9531591c621
Size: 3.43 MB - rh-postgresql95-postgresql-contrib-9.5.9-1.AXS4.x86_64.rpm
MD5: b6e8d748eade230e01688977ba7e54a8
SHA-256: 59153af5a6e00956d9f1de251332d6c0dd1a36b1a80dc2e2492e19edcb0c9323
Size: 554.46 kB - rh-postgresql95-postgresql-devel-9.5.9-1.AXS4.x86_64.rpm
MD5: 99cb14d3c0bd45d4ed1eaf8ec085ab0b
SHA-256: abeecb6143eff8568080ea395d3791fb89ffd601f380414a87b9be888bd911a7
Size: 1.12 MB - rh-postgresql95-postgresql-docs-9.5.9-1.AXS4.x86_64.rpm
MD5: 04b6d97510821e8f07b19c079354f07e
SHA-256: ebe6c7899f9669d9a3d9b6a2efc2c0979a645c7e9fba6b715e3715d8282184ff
Size: 10.36 MB - rh-postgresql95-postgresql-libs-9.5.9-1.AXS4.x86_64.rpm
MD5: a378bf0dba3b94b17d23b91d72bc0eea
SHA-256: 47d26eba877de08d5eb7b1c593aef942f504fbccd3a0f4c61e0a01110c4f99c7
Size: 233.66 kB - rh-postgresql95-postgresql-plperl-9.5.9-1.AXS4.x86_64.rpm
MD5: 5064e2422b0c8841836a5ac55ca4c277
SHA-256: bf6f0346c68cd13840fc20a199cb18e48a39a47f3f1dcf9ab90cfe3cbff8261b
Size: 84.51 kB - rh-postgresql95-postgresql-plpython-9.5.9-1.AXS4.x86_64.rpm
MD5: 28f85a14b2c8899920200a38af228efe
SHA-256: 652389c1b5e0b162388258d3d38a280dbff5f0abb62fb322e2923617570b67ad
Size: 97.08 kB - rh-postgresql95-postgresql-pltcl-9.5.9-1.AXS4.x86_64.rpm
MD5: 086d42d44a44a3a5def07f75b817f7a3
SHA-256: e9608e64fa067d12d643e526879f4682d3ac59245c63b306dbb4566834c56544
Size: 62.08 kB - rh-postgresql95-postgresql-server-9.5.9-1.AXS4.x86_64.rpm
MD5: a7baec9d055b7d93e5df952288bf6846
SHA-256: 513c0db66a390c81ceaf79b85f348ed2450b5ea4f1a1dec1c60cc84ff8529974
Size: 4.81 MB - rh-postgresql95-postgresql-static-9.5.9-1.AXS4.x86_64.rpm
MD5: bf8e14807366eeffa2c81b6ecc7cbb03
SHA-256: 97a952ad6aa01189f885563ac86ceac8492f052216d2174e1633c5c787ede8c5
Size: 120.38 kB - rh-postgresql95-postgresql-test-9.5.9-1.AXS4.x86_64.rpm
MD5: e33f980f198ff90e1a0a54c2cc0cc41f
SHA-256: fe1f2f44f845133dc9b09e3635ac293550413948f61f50bbcaeb71e53e2c6d52
Size: 1.47 MB