Security update for postgresql93
SUSE Patch
security@suse.de
SUSE Security Team
openSUSE-SU-2017:1495-1
Final
1
1
2017-06-06T16:41:47Z
current
2017-06-06T16:41:47Z
2017-06-06T16:41:47Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for postgresql93
This update for postgresql93 fixes the following issues:
The PostgreSQL package was updated to 9.3.17, bringing various bug and security fixes.
Security fixes:
- CVE-2017-7486: Restrict visibility of
pg_user_mappings.umoptions, to protect passwords stored as
user mapping options. (bsc#1037624)
- CVE-2017-7485: Recognize PGREQUIRESSL variable again. (bsc#1038293)
- CVE-2017-7484: Prevent exposure of statistical information via leaky operators. (bsc#1037603)
More details can be found in the PostgreSQL release announcements:
- https://www.postgresql.org/docs/9.3/static/release-9-3-17.html
- https://www.postgresql.org/docs/9.3/static/release-9-3-16.html
- https://www.postgresql.org/docs/9.3/static/release-9-3-15.html
This update was imported from the SUSE:SLE-12:Update update project.
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://lists.opensuse.org/opensuse-updates/2017-06/msg00012.html
E-Mail link for openSUSE-SU-2017:1495-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
openSUSE Leap 42.2
postgresql93-9.3.17-5.9.1
postgresql93-contrib-9.3.17-5.9.1
postgresql93-devel-9.3.17-5.9.1
postgresql93-docs-9.3.17-5.9.1
postgresql93-libs-9.3.17-5.9.1
postgresql93-plperl-9.3.17-5.9.1
postgresql93-plpython-9.3.17-5.9.1
postgresql93-pltcl-9.3.17-5.9.1
postgresql93-server-9.3.17-5.9.1
postgresql93-test-9.3.17-5.9.1
postgresql93-9.3.17-5.9.1 as a component of openSUSE Leap 42.2
postgresql93-contrib-9.3.17-5.9.1 as a component of openSUSE Leap 42.2
postgresql93-devel-9.3.17-5.9.1 as a component of openSUSE Leap 42.2
postgresql93-docs-9.3.17-5.9.1 as a component of openSUSE Leap 42.2
postgresql93-libs-9.3.17-5.9.1 as a component of openSUSE Leap 42.2
postgresql93-plperl-9.3.17-5.9.1 as a component of openSUSE Leap 42.2
postgresql93-plpython-9.3.17-5.9.1 as a component of openSUSE Leap 42.2
postgresql93-pltcl-9.3.17-5.9.1 as a component of openSUSE Leap 42.2
postgresql93-server-9.3.17-5.9.1 as a component of openSUSE Leap 42.2
postgresql93-test-9.3.17-5.9.1 as a component of openSUSE Leap 42.2
It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
CVE-2017-7484
openSUSE Leap 42.2:postgresql93-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-contrib-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-devel-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-docs-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-libs-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-plperl-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-plpython-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-pltcl-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-server-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-test-9.3.17-5.9.1
moderate
3.5
AV:N/AC:M/Au:S/C:P/I:N/A:N
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2017-06/msg00012.html
https://www.suse.com/security/cve/CVE-2017-7484.html
CVE-2017-7484
https://bugzilla.suse.com/1037603
SUSE Bug 1037603
https://bugzilla.suse.com/1051015
SUSE Bug 1051015
In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.
CVE-2017-7485
openSUSE Leap 42.2:postgresql93-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-contrib-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-devel-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-docs-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-libs-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-plperl-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-plpython-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-pltcl-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-server-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-test-9.3.17-5.9.1
moderate
5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2017-06/msg00012.html
https://www.suse.com/security/cve/CVE-2017-7485.html
CVE-2017-7485
https://bugzilla.suse.com/1038293
SUSE Bug 1038293
https://bugzilla.suse.com/1051015
SUSE Bug 1051015
PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server.
CVE-2017-7486
openSUSE Leap 42.2:postgresql93-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-contrib-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-devel-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-docs-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-libs-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-plperl-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-plpython-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-pltcl-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-server-9.3.17-5.9.1
openSUSE Leap 42.2:postgresql93-test-9.3.17-5.9.1
moderate
3.5
AV:N/AC:M/Au:S/C:P/I:N/A:N
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2017-06/msg00012.html
https://www.suse.com/security/cve/CVE-2017-7486.html
CVE-2017-7486
https://bugzilla.suse.com/1037624
SUSE Bug 1037624
https://bugzilla.suse.com/1051015
SUSE Bug 1051015
https://bugzilla.suse.com/1051685
SUSE Bug 1051685