rh-postgresql94-postgresql-9.4.14-1.AXS4

エラータID: AXSA:2017-2281:02

リリース日: 
2017/09/22 Friday - 11:38
題名: 
rh-postgresql94-postgresql-9.4.14-1.AXS4
影響のあるチャネル: 
Asianux Server 4 for x86_64
Severity: 
Moderate
Description: 

PostgreSQL is an advanced object-relational database management system (DBMS).

The following packages have been upgraded to a later upstream version: rh-
postgresql94-postgresql (9.4.14). (BZ#1484635, BZ#1484638, BZ#1484644)

Security Fix(es):

* It was found that authenticating to a PostgreSQL database account with an
empty password was possible despite libpq's refusal to send an empty password. A
remote attacker could potentially use this flaw to gain access to database
accounts with empty passwords. (CVE-2017-7546)

* An authorization flaw was found in the way PostgreSQL handled access to the
pg_user_mappings view on foreign servers. A remote, authenticated attacker could
potentially use this flaw to retrieve passwords from the user mappings defined
by the foreign server owners without actually having the privileges to do so.
(CVE-2017-7547)

* An authorization flaw was found in the way PostgreSQL handled large objects.
A remote, authenticated attacker with no privileges on a large object could
potentially use this flaw to overwrite the entire content of the object, thus
resulting in denial of service. (CVE-2017-7548)

Asianux would like to thank the PostgreSQL project for reporting these issues.
Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as
the original reporters of CVE-2017-7546; Jeff Janes as the original reporter
of CVE-2017-7547; and Chapman Flack as the original reporter of CVE-2017-7548.

CVE-2017-7546
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are
vulnerable to incorrect authentication flaw allowing remote attackers
to gain access to database accounts with an empty password.
CVE-2017-7547
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are
vulnerable to authorization flaw allowing remote authenticated
attackers to retrieve passwords from the user mappings defined by the
foreign server owners without actually having the privileges to do so.
CVE-2017-7548
PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to
authorization flaw allowing remote authenticated attackers with no
privileges on a large object to overwrite the entire contents of the
object, resulting in a denial of service.

解決策: 

Update packages.

CVE: 
CVE-2017-7546
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
CVE-2017-7547
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
CVE-2017-7548
PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. rh-postgresql94-postgresql-9.4.14-1.AXS4.src.rpm
    MD5: dc0b4e8499ef66698e807cab067cace3
    SHA-256: 502043a67321e7222071380d20235fb8937a2d9636d9a8915852cdacbd16a8e9
    Size: 24.46 MB

Asianux Server 4 for x86_64
  1. rh-postgresql94-postgresql-9.4.14-1.AXS4.x86_64.rpm
    MD5: 72b64787c0bcbb255c12a1f53fa57e74
    SHA-256: f1d6aae504fea86863a37ce9460206f4c02d54d7aa941e68535475bba3ca08b6
    Size: 3.20 MB
  2. rh-postgresql94-postgresql-contrib-9.4.14-1.AXS4.x86_64.rpm
    MD5: 901f60f7714afb2c2637e364d02fb32d
    SHA-256: 9ac36c6f65ad48366b3061bd73dd0e0033a8c0289fbfa1959e7c4aa3ea447089
    Size: 523.89 kB
  3. rh-postgresql94-postgresql-devel-9.4.14-1.AXS4.x86_64.rpm
    MD5: dada859dcef632718dd411ab9fd3ac09
    SHA-256: b84a205f1a079812764ed38ea73e84706fb3311a1c3a2218f78af1749c3dda88
    Size: 1.01 MB
  4. rh-postgresql94-postgresql-docs-9.4.14-1.AXS4.x86_64.rpm
    MD5: b95366b727b1c34e3cd3baef41498d49
    SHA-256: 52e8780400bb5d34815d875794eb84538b654cf96641622df61244adf36f5fcd
    Size: 9.90 MB
  5. rh-postgresql94-postgresql-libs-9.4.14-1.AXS4.x86_64.rpm
    MD5: ccb3f5134b9b211fb546c97701aa247d
    SHA-256: e91ad62d2b8094fb9072fa95ef0a3559c2237b2b1dbf6ae721070a5138f01342
    Size: 225.24 kB
  6. rh-postgresql94-postgresql-plperl-9.4.14-1.AXS4.x86_64.rpm
    MD5: caf9fa9140fc112b5d30ac25e9e29c64
    SHA-256: 83f57e7e85a28fc53b4df9005e52b7729d021ed949c54900c487a9fab02a1689
    Size: 81.11 kB
  7. rh-postgresql94-postgresql-plpython-9.4.14-1.AXS4.x86_64.rpm
    MD5: d9347b75a7d0ccb7c7ee20b07cd095ad
    SHA-256: 75fe052d3d18585504634aae15e71ef475a1d16ff38f4217adf5f11e2730e94c
    Size: 93.81 kB
  8. rh-postgresql94-postgresql-pltcl-9.4.14-1.AXS4.x86_64.rpm
    MD5: dab1e0a332316cff2d8a4dd681054b0a
    SHA-256: 7b43d718c0184bb86ec6bbb3deb407446547c63e00c8293cdd782ae87e96335d
    Size: 58.84 kB
  9. rh-postgresql94-postgresql-server-9.4.14-1.AXS4.x86_64.rpm
    MD5: 28979ac8c4e92d6f24d88dea9e117a72
    SHA-256: 7a9c33d250952b4b8055b5a625e19807d83ec9a966abb87eb7801171a7452dc8
    Size: 4.60 MB
  10. rh-postgresql94-postgresql-test-9.4.14-1.AXS4.x86_64.rpm
    MD5: 3656a839d8344f88ede7ddb8355b5c9a
    SHA-256: e23a091f15b1a1a702d8382a7660beda6d394bdb6109c650a26207ee042ee1ef
    Size: 2.18 MB
  11. rh-postgresql94-postgresql-upgrade-9.4.14-1.AXS4.x86_64.rpm
    MD5: d850a8ec528d7419ea23fbef9f6c90a7
    SHA-256: f405ec6ce9e7813f21f8cb22a5f4d81c096ca0a8a8c2756610e9dbef7baaebc3
    Size: 80.01 kB