CVE-2017-7547
CVSS4.0
发布时间 :2017-08-16 14:29:00
修订时间 :2017-12-30 21:29:03
NMPS    

[原文]PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS分值: 4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: SINGLE_INSTANCE [--]

- CWE (弱点类目)

CWE-285 [授权机制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:postgresql:postgresql:9.2
cpe:/a:postgresql:postgresql:9.2.1
cpe:/a:postgresql:postgresql:9.2.2
cpe:/a:postgresql:postgresql:9.2.3
cpe:/a:postgresql:postgresql:9.2.4
cpe:/a:postgresql:postgresql:9.2.5
cpe:/a:postgresql:postgresql:9.2.6
cpe:/a:postgresql:postgresql:9.2.7
cpe:/a:postgresql:postgresql:9.2.8
cpe:/a:postgresql:postgresql:9.2.9
cpe:/a:postgresql:postgresql:9.2.10
cpe:/a:postgresql:postgresql:9.2.11
cpe:/a:postgresql:postgresql:9.2.12
cpe:/a:postgresql:postgresql:9.2.13
cpe:/a:postgresql:postgresql:9.2.14
cpe:/a:postgresql:postgresql:9.2.15
cpe:/a:postgresql:postgresql:9.2.16
cpe:/a:postgresql:postgresql:9.2.17
cpe:/a:postgresql:postgresql:9.2.18
cpe:/a:postgresql:postgresql:9.2.19
cpe:/a:postgresql:postgresql:9.2.20
cpe:/a:postgresql:postgresql:9.2.21
cpe:/a:postgresql:postgresql:9.3
cpe:/a:postgresql:postgresql:9.3.1
cpe:/a:postgresql:postgresql:9.3.2
cpe:/a:postgresql:postgresql:9.3.3
cpe:/a:postgresql:postgresql:9.3.4
cpe:/a:postgresql:postgresql:9.3.5
cpe:/a:postgresql:postgresql:9.3.6
cpe:/a:postgresql:postgresql:9.3.7
cpe:/a:postgresql:postgresql:9.3.8
cpe:/a:postgresql:postgresql:9.3.9
cpe:/a:postgresql:postgresql:9.3.10
cpe:/a:postgresql:postgresql:9.3.11
cpe:/a:postgresql:postgresql:9.3.12
cpe:/a:postgresql:postgresql:9.3.13
cpe:/a:postgresql:postgresql:9.3.14
cpe:/a:postgresql:postgresql:9.3.15
cpe:/a:postgresql:postgresql:9.3.16
cpe:/a:postgresql:postgresql:9.3.17
cpe:/a:postgresql:postgresql:9.4
cpe:/a:postgresql:postgresql:9.4.1
cpe:/a:postgresql:postgresql:9.4.2
cpe:/a:postgresql:postgresql:9.4.3
cpe:/a:postgresql:postgresql:9.4.4
cpe:/a:postgresql:postgresql:9.4.5
cpe:/a:postgresql:postgresql:9.4.6
cpe:/a:postgresql:postgresql:9.4.7
cpe:/a:postgresql:postgresql:9.4.8
cpe:/a:postgresql:postgresql:9.4.9
cpe:/a:postgresql:postgresql:9.4.10
cpe:/a:postgresql:postgresql:9.4.11
cpe:/a:postgresql:postgresql:9.4.12
cpe:/a:postgresql:postgresql:9.5
cpe:/a:postgresql:postgresql:9.5.1.
cpe:/a:postgresql:postgresql:9.5.2
cpe:/a:postgresql:postgresql:9.5.3
cpe:/a:postgresql:postgresql:9.5.4
cpe:/a:postgresql:postgresql:9.5.5
cpe:/a:postgresql:postgresql:9.5.6
cpe:/a:postgresql:postgresql:9.5.7
cpe:/a:postgresql:postgresql:9.6
cpe:/a:postgresql:postgresql:9.6.1
cpe:/a:postgresql:postgresql:9.6.2
cpe:/a:postgresql:postgresql:9.6.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7547
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7547
(官方数据源) NVD

- 其它链接及资源

http://www.debian.org/security/2017/dsa-3935
(UNKNOWN)  DEBIAN  DSA-3935
http://www.debian.org/security/2017/dsa-3936
(UNKNOWN)  DEBIAN  DSA-3936
http://www.securityfocus.com/bid/100275
(VENDOR_ADVISORY)  BID  100275
http://www.securitytracker.com/id/1039142
(VENDOR_ADVISORY)  SECTRACK  1039142
https://access.redhat.com/errata/RHSA-2017:2677
(UNKNOWN)  REDHAT  RHSA-2017:2677
https://access.redhat.com/errata/RHSA-2017:2678
(UNKNOWN)  REDHAT  RHSA-2017:2678
https://access.redhat.com/errata/RHSA-2017:2728
(UNKNOWN)  REDHAT  RHSA-2017:2728
https://security.gentoo.org/glsa/201710-06
(UNKNOWN)  GENTOO  GLSA-201710-06
https://www.postgresql.org/about/news/1772/
(VENDOR_ADVISORY)  CONFIRM  https://www.postgresql.org/about/news/1772/

- 漏洞信息 (F143705)

Debian Security Advisory 3936-1 (PacketStormID:F143705)
2017-08-10 00:00:00
Debian  debian.org
advisory,vulnerability
linux,debian
CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
[点击下载]

Debian Linux Security Advisory 3936-1 - Several vulnerabilities have been found in the PostgreSQL database system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3936-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 10, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-9.6
CVE ID         : CVE-2017-7546 CVE-2017-7547 CVE-2017-7548

Several vulnerabilities have been found in the PostgreSQL database
system:

CVE-2017-7546

    In some authentication methods empty passwords were accepted.

CVE-2017-7547

    User mappings could leak data to unprivileged users.

CVE-2017-7548

    The lo_put() function ignored ACLs.

For more in-depth descriptions of the security vulnerabilities,
please see https://www.postgresql.org/about/news/1772/

For the stable distribution (stretch), these problems have been fixed in
version 9.6.4-0+deb9u1.

We recommend that you upgrade your postgresql-9.6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlmMyu8ACgkQEMKTtsN8
TjY4TA//ZeCZDdLmLZE09WcDTwpsvcb6ZEdEj3jekMswPP6WHkZlnpVSX711Cyv0
veck/xojcIdGl6oki2/OM7ErJ3L7eteGLqswzWmsOk7lWSya5/EJCIV+DXGOhqnI
ESSADLI+hLwoFqxGjYwbLfpyo7Mxpwfw42fRVVC++T2+7cG4BBsLJh++sOL/tIiD
OEhVgK5NK+4r7E8ZpCcLW4BZBMPt6V31Pr0sXSa8gQ7D7LbNvI+v/L5cgZTL8Ewf
WWf9NyWDgY06s+BvNxtNXwoeT9WTwigV3IFuwe5pmoRlwNdqGxIZBdUBd9tXDY1Y
T6BrpHa0dyZVhNFL8TM8o8kOzZjpg5hiDzXDfeyGpOqEy6psdNll4kO66/XN0yoF
LpQ60uMlmNso99vAuyY9S6/DoMRKVQifJT7epA8y0lF4T/YG0YN6nCeYwSsFQGOU
gAhTgQIxxYnmu9pBDS7eFVijxBs7GfakGMF/VZ4VQ+1R3DGFncbyCVdJqiVUw9Db
t7vym8cfUjaox9LuedGhXBdBxoy2cBdwvJ8BlAbHhmQ7O+mVrDbp1nqBN1bQaZo8
mWdaLdNM2PxVW5RGGYjSLdE7VgtCDEacTxiea1S4Q/ZvnoPV7qwvwo9a5RoaB+v3
5hd9SDcBvhrTNHDr8tRhr+yHMVjQZ8tvfMlR8WmLK7xM2Pnsdpo=
=mzAD
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F143704)

Debian Security Advisory 3935-1 (PacketStormID:F143704)
2017-08-10 00:00:00
Debian  debian.org
advisory,vulnerability
linux,debian
CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
[点击下载]

Debian Linux Security Advisory 3935-1 - Several vulnerabilities have been found in the PostgreSQL database system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3935-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 10, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-9.4
CVE ID         : CVE-2017-7546 CVE-2017-7547 CVE-2017-7548

Several vulnerabilities have been found in the PostgreSQL database
system:

CVE-2017-7546

    In some authentication methods empty passwords were accepted.

CVE-2017-7547

    User mappings could leak data to unprivileged users.

CVE-2017-7548

    The lo_put() function ignored ACLs.

For more in-depth descriptions of the security vulnerabilities,
please see https://www.postgresql.org/about/news/1772/

For the oldstable distribution (jessie), these problems have been fixed
in version 9.4.13-0+deb8u1.

We recommend that you upgrade your postgresql-9.4 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlmMyugACgkQEMKTtsN8
Tjbhrw/+OA9HQ3H9S96IkZ3q4qV9EtZofNE2Dc7KMqfZcTb7pDtHs5NJNvjjQbB2
C7qd6FHCZkcm/07Z2eQwS8b6hlMylAAOFlGuy+7J+1wfiIQOJ+B5DgUnwVngvsjC
Sl1Oi8f3qfaZitcT1HVus3cVrIzGcZwiZpOeyGtpX83pI5ydFA6kiKYgRh0+pwRe
Z6RcRWEOS80VUbpJuJcE6szWqv5TDq9jmuadEYFgY4kypefewnGE7lUZPkrcwsm4
QUz/nxswPthWUTEmpg55pWQDl2BEp/GuaHEetYEAKy/tgBAypWs5rhEYV0F007DS
L3u5Cs5yzmSJeUCEHFJ+ovox1DOdRpInn9+B9NXJAUz1cDdPFG7JJbMC4nshigrT
rOm0BxR7cQNnUTYl76W1cLRsdsHCyh12sbLJdevEZ48QPX/pQu9vuC0+yqxdbFVe
ogUBcWizJ/kJQMBDgBv2AU59H8S/J1jFdKzQ3JMQ81dv/NDDGe7qVaWufQ32RUVS
Dx1ft/HAbltqcyPtbNUGCtmb3d5hyLPY69/+jHtWKAGW+/0HFIpCS/CTyYZEikLB
hkNj2WpxZdzWnpBS3UeYsvFyxJLWqxDUY6X8QpGZYrb1Y9Vq42BkcQSTbkT3vp4J
DxPWZfw/ak/IiAQ6mJkn5CHMZHwXm0hWzmo1BL698cHInh1vaLo=
=qCEo
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F143765)

Ubuntu Security Notice USN-3390-1 (PacketStormID:F143765)
2017-08-15 00:00:00
Ubuntu  security.ubuntu.com
advisory,remote
linux,ubuntu
CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
[点击下载]

Ubuntu Security Notice 3390-1 - Ben de Graaff, Jelte Fennema, and Jeroen van der Ham discovered that PostgreSQL allowed the use of empty passwords in some authentication methods, contrary to expected behaviour. A remote attacker could use an empty password to authenticate to servers that were believed to have password login disabled. Jeff Janes discovered that PostgreSQL incorrectly handled the pg_user_mappings catalog view. A remote attacker without server privileges could possibly use this issue to obtain certain passwords. Various other issues were also addressed.

==========================================================================
Ubuntu Security Notice USN-3390-1
August 15, 2017

postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in PostgreSQL.

Software Description:
- postgresql-9.6: object-relational SQL database
- postgresql-9.5: Object-relational SQL database
- postgresql-9.3: Object-relational SQL database

Details:

Ben de Graaff, Jelte Fennema, and Jeroen van der Ham discovered that
PostgreSQL allowed the use of empty passwords in some authentication
methods, contrary to expected behaviour. A remote attacker could use an
empty password to authenticate to servers that were believed to have
password login disabled. (CVE-2017-7546)

Jeff Janes discovered that PostgreSQL incorrectly handled the
pg_user_mappings catalog view. A remote attacker without server privileges
could possibly use this issue to obtain certain passwords. (CVE-2017-7547)

Chapman Flack discovered that PostgreSQL incorrectly handled lo_put()
permissions. A remote attacker could possibly use this issue to change the
data in a large object. (CVE-2017-7548)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  postgresql-9.6                  9.6.4-0ubuntu0.17.04.1

Ubuntu 16.04 LTS:
  postgresql-9.5                  9.5.8-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
  postgresql-9.3                  9.3.18-0ubuntu0.14.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References:
  https://www.ubuntu.com/usn/usn-3390-1
  CVE-2017-7546, CVE-2017-7547, CVE-2017-7548

Package Information:
  https://launchpad.net/ubuntu/+source/postgresql-9.6/9.6.4-0ubuntu0.17.04.1
  https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.8-0ubuntu0.16.04.1
  https://launchpad.net/ubuntu/+source/postgresql-9.3/9.3.18-0ubuntu0.14.04.1


    

- 漏洞信息 (F144100)

Red Hat Security Advisory 2017-2678-01 (PacketStormID:F144100)
2017-09-12 00:00:00
Red Hat  
advisory,remote
linux,redhat
CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
[点击下载]

Red Hat Security Advisory 2017-2678-01 - PostgreSQL is an advanced object-relational database management system. The following packages have been upgraded to a later upstream version: rh-postgresql94-postgresql. Security Fix: It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: rh-postgresql94-postgresql security update
Advisory ID:       RHSA-2017:2678-01
Product:           Red Hat Software Collections
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:2678
Issue date:        2017-09-12
CVE Names:         CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 
=====================================================================

1. Summary:

An update for rh-postgresql94-postgresql is now available for Red Hat
Software Collections.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

PostgreSQL is an advanced object-relational database management system
(DBMS).

The following packages have been upgraded to a later upstream version:
rh-postgresql94-postgresql (9.4.14). (BZ#1484635, BZ#1484638, BZ#1484644)

Security Fix(es):

* It was found that authenticating to a PostgreSQL database account with an
empty password was possible despite libpq's refusal to send an empty
password. A remote attacker could potentially use this flaw to gain access
to database accounts with empty passwords. (CVE-2017-7546)

* An authorization flaw was found in the way PostgreSQL handled access to
the pg_user_mappings view on foreign servers. A remote, authenticated
attacker could potentially use this flaw to retrieve passwords from the
user mappings defined by the foreign server owners without actually having
the privileges to do so. (CVE-2017-7547)

* An authorization flaw was found in the way PostgreSQL handled large
objects. A remote, authenticated attacker with no privileges on a large
object could potentially use this flaw to overwrite the entire content of
the object, thus resulting in denial of service. (CVE-2017-7548)

Red Hat would like to thank the PostgreSQL project for reporting these
issues. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van
der Ham as the original reporters of CVE-2017-7546; Jeff Janes as the
original reporter of CVE-2017-7547; and Chapman Flack as the original
reporter of CVE-2017-7548.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

1477184 - CVE-2017-7546 postgresql: Empty password accepted in some authentication methods
1477185 - CVE-2017-7547 postgresql: pg_user_mappings view discloses passwords to users lacking server privileges
1477187 - CVE-2017-7548 postgresql: lo_put() function ignores ACLs

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):

Source:
rh-postgresql94-postgresql-9.4.14-1.el6.src.rpm

x86_64:
rh-postgresql94-postgresql-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-contrib-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-debuginfo-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-devel-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-docs-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-libs-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-plperl-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-plpython-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-pltcl-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-server-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-static-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-test-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-upgrade-9.4.14-1.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):

Source:
rh-postgresql94-postgresql-9.4.14-1.el6.src.rpm

x86_64:
rh-postgresql94-postgresql-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-contrib-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-debuginfo-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-devel-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-docs-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-libs-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-plperl-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-plpython-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-pltcl-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-server-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-static-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-test-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-upgrade-9.4.14-1.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):

Source:
rh-postgresql94-postgresql-9.4.14-1.el6.src.rpm

x86_64:
rh-postgresql94-postgresql-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-contrib-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-debuginfo-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-devel-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-docs-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-libs-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-plperl-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-plpython-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-pltcl-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-server-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-static-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-test-9.4.14-1.el6.x86_64.rpm
rh-postgresql94-postgresql-upgrade-9.4.14-1.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-postgresql94-postgresql-9.4.14-1.el7.src.rpm

x86_64:
rh-postgresql94-postgresql-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-contrib-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-debuginfo-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-devel-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-docs-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-libs-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-plperl-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-plpython-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-pltcl-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-server-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-static-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-test-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-upgrade-9.4.14-1.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3):

Source:
rh-postgresql94-postgresql-9.4.14-1.el7.src.rpm

x86_64:
rh-postgresql94-postgresql-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-contrib-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-debuginfo-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-devel-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-docs-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-libs-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-plperl-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-plpython-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-pltcl-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-server-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-static-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-test-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-upgrade-9.4.14-1.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-postgresql94-postgresql-9.4.14-1.el7.src.rpm

x86_64:
rh-postgresql94-postgresql-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-contrib-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-debuginfo-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-devel-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-docs-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-libs-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-plperl-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-plpython-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-pltcl-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-server-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-static-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-test-9.4.14-1.el7.x86_64.rpm
rh-postgresql94-postgresql-upgrade-9.4.14-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-7546
https://access.redhat.com/security/cve/CVE-2017-7547
https://access.redhat.com/security/cve/CVE-2017-7548
https://access.redhat.com/security/updates/classification/#moderate
https://www.postgresql.org/about/news/1772/
https://www.postgresql.org/docs/current/static/release-9-4-13.html
https://www.postgresql.org/docs/current/static/release-9-4-14.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZt7GFXlSAg2UNWIIRArMGAJ99o7Ih52bpI2q7Hffu8YbWITlWowCgtXQy
pQSeXBAWXkZUVHP0OoULdHA=
=Skdc
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F144099)

Red Hat Security Advisory 2017-2677-01 (PacketStormID:F144099)
2017-09-12 00:00:00
Red Hat  
advisory,remote
linux,redhat
CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
[点击下载]

Red Hat Security Advisory 2017-2677-01 - PostgreSQL is an advanced object-relational database management system. The following packages have been upgraded to a later upstream version: rh-postgresql95-postgresql. Security Fix: It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: rh-postgresql95-postgresql security update
Advisory ID:       RHSA-2017:2677-01
Product:           Red Hat Software Collections
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:2677
Issue date:        2017-09-12
CVE Names:         CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 
=====================================================================

1. Summary:

An update for rh-postgresql95-postgresql is now available for Red Hat
Software Collections.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

PostgreSQL is an advanced object-relational database management system
(DBMS).

The following packages have been upgraded to a later upstream version:
rh-postgresql95-postgresql (9.5.9). (BZ#1484637, BZ#1484642, BZ#1484648)

Security Fix(es):

* It was found that authenticating to a PostgreSQL database account with an
empty password was possible despite libpq's refusal to send an empty
password. A remote attacker could potentially use this flaw to gain access
to database accounts with empty passwords. (CVE-2017-7546)

* An authorization flaw was found in the way PostgreSQL handled access to
the pg_user_mappings view on foreign servers. A remote, authenticated
attacker could potentially use this flaw to retrieve passwords from the
user mappings defined by the foreign server owners without actually having
the privileges to do so. (CVE-2017-7547)

* An authorization flaw was found in the way PostgreSQL handled large
objects. A remote, authenticated attacker with no privileges on a large
object could potentially use this flaw to overwrite the entire content of
the object, thus resulting in denial of service. (CVE-2017-7548)

Red Hat would like to thank the PostgreSQL project for reporting these
issues. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van
der Ham as the original reporters of CVE-2017-7546; Jeff Janes as the
original reporter of CVE-2017-7547; and Chapman Flack as the original
reporter of CVE-2017-7548.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

1477184 - CVE-2017-7546 postgresql: Empty password accepted in some authentication methods
1477185 - CVE-2017-7547 postgresql: pg_user_mappings view discloses passwords to users lacking server privileges
1477187 - CVE-2017-7548 postgresql: lo_put() function ignores ACLs

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):

Source:
rh-postgresql95-postgresql-9.5.9-1.el6.src.rpm

x86_64:
rh-postgresql95-postgresql-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-contrib-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-debuginfo-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-devel-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-docs-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-libs-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-plperl-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-plpython-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-pltcl-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-server-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-static-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-test-9.5.9-1.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):

Source:
rh-postgresql95-postgresql-9.5.9-1.el6.src.rpm

x86_64:
rh-postgresql95-postgresql-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-contrib-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-debuginfo-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-devel-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-docs-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-libs-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-plperl-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-plpython-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-pltcl-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-server-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-static-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-test-9.5.9-1.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):

Source:
rh-postgresql95-postgresql-9.5.9-1.el6.src.rpm

x86_64:
rh-postgresql95-postgresql-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-contrib-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-debuginfo-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-devel-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-docs-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-libs-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-plperl-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-plpython-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-pltcl-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-server-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-static-9.5.9-1.el6.x86_64.rpm
rh-postgresql95-postgresql-test-9.5.9-1.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-postgresql95-postgresql-9.5.9-1.el7.src.rpm

x86_64:
rh-postgresql95-postgresql-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-contrib-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-debuginfo-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-devel-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-docs-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-libs-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-plperl-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-plpython-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-pltcl-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-server-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-static-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-test-9.5.9-1.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3):

Source:
rh-postgresql95-postgresql-9.5.9-1.el7.src.rpm

x86_64:
rh-postgresql95-postgresql-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-contrib-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-debuginfo-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-devel-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-docs-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-libs-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-plperl-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-plpython-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-pltcl-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-server-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-static-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-test-9.5.9-1.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-postgresql95-postgresql-9.5.9-1.el7.src.rpm

x86_64:
rh-postgresql95-postgresql-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-contrib-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-debuginfo-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-devel-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-docs-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-libs-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-plperl-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-plpython-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-pltcl-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-server-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-static-9.5.9-1.el7.x86_64.rpm
rh-postgresql95-postgresql-test-9.5.9-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-7546
https://access.redhat.com/security/cve/CVE-2017-7547
https://access.redhat.com/security/cve/CVE-2017-7548
https://access.redhat.com/security/updates/classification/#moderate
https://www.postgresql.org/about/news/1772/
https://www.postgresql.org/docs/current/static/release-9-5-8.html
https://www.postgresql.org/docs/current/static/release-9-5-9.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZt5RlXlSAg2UNWIIRAl/NAJ9Q64k6INEspmu7OPe3zxmNt0/VPQCfQTvI
YGXVXpuJZFd3gE1Z0Zlfwuo=
=vA/e
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F144141)

Red Hat Security Advisory 2017-2728-01 (PacketStormID:F144141)
2017-09-14 00:00:00
Red Hat  
advisory,remote
linux,redhat
CVE-2017-7546,CVE-2017-7547
[点击下载]

Red Hat Security Advisory 2017-2728-01 - PostgreSQL is an advanced object-relational database management system. The following packages have been upgraded to a later upstream version: postgresql. Security Fix: It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: postgresql security update
Advisory ID:       RHSA-2017:2728-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:2728
Issue date:        2017-09-14
CVE Names:         CVE-2017-7546 CVE-2017-7547 
=====================================================================

1. Summary:

An update for postgresql is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

PostgreSQL is an advanced object-relational database management system
(DBMS).

The following packages have been upgraded to a later upstream version:
postgresql (9.2.23). (BZ#1484639, BZ#1484647)

Security Fix(es):

* It was found that authenticating to a PostgreSQL database account with an
empty password was possible despite libpq's refusal to send an empty
password. A remote attacker could potentially use this flaw to gain access
to database accounts with empty passwords. (CVE-2017-7546)

* An authorization flaw was found in the way PostgreSQL handled access to
the pg_user_mappings view on foreign servers. A remote, authenticated
attacker could potentially use this flaw to retrieve passwords from the
user mappings defined by the foreign server owners without actually having
the privileges to do so. (CVE-2017-7547)

Red Hat would like to thank the PostgreSQL project for reporting these
issues. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van
der Ham as the original reporters of CVE-2017-7546; and Jeff Janes as the
original reporter of CVE-2017-7547.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

1477184 - CVE-2017-7546 postgresql: Empty password accepted in some authentication methods
1477185 - CVE-2017-7547 postgresql: pg_user_mappings view discloses passwords to users lacking server privileges

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
postgresql-9.2.23-1.el7_4.src.rpm

x86_64:
postgresql-debuginfo-9.2.23-1.el7_4.i686.rpm
postgresql-debuginfo-9.2.23-1.el7_4.x86_64.rpm
postgresql-libs-9.2.23-1.el7_4.i686.rpm
postgresql-libs-9.2.23-1.el7_4.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
postgresql-9.2.23-1.el7_4.i686.rpm
postgresql-9.2.23-1.el7_4.x86_64.rpm
postgresql-contrib-9.2.23-1.el7_4.x86_64.rpm
postgresql-debuginfo-9.2.23-1.el7_4.i686.rpm
postgresql-debuginfo-9.2.23-1.el7_4.x86_64.rpm
postgresql-devel-9.2.23-1.el7_4.i686.rpm
postgresql-devel-9.2.23-1.el7_4.x86_64.rpm
postgresql-docs-9.2.23-1.el7_4.x86_64.rpm
postgresql-plperl-9.2.23-1.el7_4.x86_64.rpm
postgresql-plpython-9.2.23-1.el7_4.x86_64.rpm
postgresql-pltcl-9.2.23-1.el7_4.x86_64.rpm
postgresql-server-9.2.23-1.el7_4.x86_64.rpm
postgresql-static-9.2.23-1.el7_4.i686.rpm
postgresql-static-9.2.23-1.el7_4.x86_64.rpm
postgresql-test-9.2.23-1.el7_4.x86_64.rpm
postgresql-upgrade-9.2.23-1.el7_4.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
postgresql-9.2.23-1.el7_4.src.rpm

x86_64:
postgresql-9.2.23-1.el7_4.x86_64.rpm
postgresql-debuginfo-9.2.23-1.el7_4.i686.rpm
postgresql-debuginfo-9.2.23-1.el7_4.x86_64.rpm
postgresql-libs-9.2.23-1.el7_4.i686.rpm
postgresql-libs-9.2.23-1.el7_4.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
postgresql-9.2.23-1.el7_4.i686.rpm
postgresql-contrib-9.2.23-1.el7_4.x86_64.rpm
postgresql-debuginfo-9.2.23-1.el7_4.i686.rpm
postgresql-debuginfo-9.2.23-1.el7_4.x86_64.rpm
postgresql-devel-9.2.23-1.el7_4.i686.rpm
postgresql-devel-9.2.23-1.el7_4.x86_64.rpm
postgresql-docs-9.2.23-1.el7_4.x86_64.rpm
postgresql-plperl-9.2.23-1.el7_4.x86_64.rpm
postgresql-plpython-9.2.23-1.el7_4.x86_64.rpm
postgresql-pltcl-9.2.23-1.el7_4.x86_64.rpm
postgresql-server-9.2.23-1.el7_4.x86_64.rpm
postgresql-static-9.2.23-1.el7_4.i686.rpm
postgresql-static-9.2.23-1.el7_4.x86_64.rpm
postgresql-test-9.2.23-1.el7_4.x86_64.rpm
postgresql-upgrade-9.2.23-1.el7_4.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
postgresql-9.2.23-1.el7_4.src.rpm

aarch64:
postgresql-9.2.23-1.el7_4.aarch64.rpm
postgresql-contrib-9.2.23-1.el7_4.aarch64.rpm
postgresql-debuginfo-9.2.23-1.el7_4.aarch64.rpm
postgresql-devel-9.2.23-1.el7_4.aarch64.rpm
postgresql-docs-9.2.23-1.el7_4.aarch64.rpm
postgresql-libs-9.2.23-1.el7_4.aarch64.rpm
postgresql-plperl-9.2.23-1.el7_4.aarch64.rpm
postgresql-plpython-9.2.23-1.el7_4.aarch64.rpm
postgresql-pltcl-9.2.23-1.el7_4.aarch64.rpm
postgresql-server-9.2.23-1.el7_4.aarch64.rpm
postgresql-test-9.2.23-1.el7_4.aarch64.rpm

ppc64:
postgresql-9.2.23-1.el7_4.ppc.rpm
postgresql-9.2.23-1.el7_4.ppc64.rpm
postgresql-contrib-9.2.23-1.el7_4.ppc64.rpm
postgresql-debuginfo-9.2.23-1.el7_4.ppc.rpm
postgresql-debuginfo-9.2.23-1.el7_4.ppc64.rpm
postgresql-devel-9.2.23-1.el7_4.ppc.rpm
postgresql-devel-9.2.23-1.el7_4.ppc64.rpm
postgresql-docs-9.2.23-1.el7_4.ppc64.rpm
postgresql-libs-9.2.23-1.el7_4.ppc.rpm
postgresql-libs-9.2.23-1.el7_4.ppc64.rpm
postgresql-plperl-9.2.23-1.el7_4.ppc64.rpm
postgresql-plpython-9.2.23-1.el7_4.ppc64.rpm
postgresql-pltcl-9.2.23-1.el7_4.ppc64.rpm
postgresql-server-9.2.23-1.el7_4.ppc64.rpm
postgresql-test-9.2.23-1.el7_4.ppc64.rpm

ppc64le:
postgresql-9.2.23-1.el7_4.ppc64le.rpm
postgresql-contrib-9.2.23-1.el7_4.ppc64le.rpm
postgresql-debuginfo-9.2.23-1.el7_4.ppc64le.rpm
postgresql-devel-9.2.23-1.el7_4.ppc64le.rpm
postgresql-docs-9.2.23-1.el7_4.ppc64le.rpm
postgresql-libs-9.2.23-1.el7_4.ppc64le.rpm
postgresql-plperl-9.2.23-1.el7_4.ppc64le.rpm
postgresql-plpython-9.2.23-1.el7_4.ppc64le.rpm
postgresql-pltcl-9.2.23-1.el7_4.ppc64le.rpm
postgresql-server-9.2.23-1.el7_4.ppc64le.rpm
postgresql-test-9.2.23-1.el7_4.ppc64le.rpm

s390x:
postgresql-9.2.23-1.el7_4.s390.rpm
postgresql-9.2.23-1.el7_4.s390x.rpm
postgresql-contrib-9.2.23-1.el7_4.s390x.rpm
postgresql-debuginfo-9.2.23-1.el7_4.s390.rpm
postgresql-debuginfo-9.2.23-1.el7_4.s390x.rpm
postgresql-devel-9.2.23-1.el7_4.s390.rpm
postgresql-devel-9.2.23-1.el7_4.s390x.rpm
postgresql-docs-9.2.23-1.el7_4.s390x.rpm
postgresql-libs-9.2.23-1.el7_4.s390.rpm
postgresql-libs-9.2.23-1.el7_4.s390x.rpm
postgresql-plperl-9.2.23-1.el7_4.s390x.rpm
postgresql-plpython-9.2.23-1.el7_4.s390x.rpm
postgresql-pltcl-9.2.23-1.el7_4.s390x.rpm
postgresql-server-9.2.23-1.el7_4.s390x.rpm
postgresql-test-9.2.23-1.el7_4.s390x.rpm

x86_64:
postgresql-9.2.23-1.el7_4.i686.rpm
postgresql-9.2.23-1.el7_4.x86_64.rpm
postgresql-contrib-9.2.23-1.el7_4.x86_64.rpm
postgresql-debuginfo-9.2.23-1.el7_4.i686.rpm
postgresql-debuginfo-9.2.23-1.el7_4.x86_64.rpm
postgresql-devel-9.2.23-1.el7_4.i686.rpm
postgresql-devel-9.2.23-1.el7_4.x86_64.rpm
postgresql-docs-9.2.23-1.el7_4.x86_64.rpm
postgresql-libs-9.2.23-1.el7_4.i686.rpm
postgresql-libs-9.2.23-1.el7_4.x86_64.rpm
postgresql-plperl-9.2.23-1.el7_4.x86_64.rpm
postgresql-plpython-9.2.23-1.el7_4.x86_64.rpm
postgresql-pltcl-9.2.23-1.el7_4.x86_64.rpm
postgresql-server-9.2.23-1.el7_4.x86_64.rpm
postgresql-test-9.2.23-1.el7_4.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

aarch64:
postgresql-debuginfo-9.2.23-1.el7_4.aarch64.rpm
postgresql-static-9.2.23-1.el7_4.aarch64.rpm
postgresql-upgrade-9.2.23-1.el7_4.aarch64.rpm

ppc64:
postgresql-debuginfo-9.2.23-1.el7_4.ppc.rpm
postgresql-debuginfo-9.2.23-1.el7_4.ppc64.rpm
postgresql-static-9.2.23-1.el7_4.ppc.rpm
postgresql-static-9.2.23-1.el7_4.ppc64.rpm
postgresql-upgrade-9.2.23-1.el7_4.ppc64.rpm

ppc64le:
postgresql-debuginfo-9.2.23-1.el7_4.ppc64le.rpm
postgresql-static-9.2.23-1.el7_4.ppc64le.rpm
postgresql-upgrade-9.2.23-1.el7_4.ppc64le.rpm

s390x:
postgresql-debuginfo-9.2.23-1.el7_4.s390.rpm
postgresql-debuginfo-9.2.23-1.el7_4.s390x.rpm
postgresql-static-9.2.23-1.el7_4.s390.rpm
postgresql-static-9.2.23-1.el7_4.s390x.rpm
postgresql-upgrade-9.2.23-1.el7_4.s390x.rpm

x86_64:
postgresql-debuginfo-9.2.23-1.el7_4.i686.rpm
postgresql-debuginfo-9.2.23-1.el7_4.x86_64.rpm
postgresql-static-9.2.23-1.el7_4.i686.rpm
postgresql-static-9.2.23-1.el7_4.x86_64.rpm
postgresql-upgrade-9.2.23-1.el7_4.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
postgresql-9.2.23-1.el7_4.src.rpm

x86_64:
postgresql-9.2.23-1.el7_4.i686.rpm
postgresql-9.2.23-1.el7_4.x86_64.rpm
postgresql-contrib-9.2.23-1.el7_4.x86_64.rpm
postgresql-debuginfo-9.2.23-1.el7_4.i686.rpm
postgresql-debuginfo-9.2.23-1.el7_4.x86_64.rpm
postgresql-devel-9.2.23-1.el7_4.i686.rpm
postgresql-devel-9.2.23-1.el7_4.x86_64.rpm
postgresql-docs-9.2.23-1.el7_4.x86_64.rpm
postgresql-libs-9.2.23-1.el7_4.i686.rpm
postgresql-libs-9.2.23-1.el7_4.x86_64.rpm
postgresql-plperl-9.2.23-1.el7_4.x86_64.rpm
postgresql-plpython-9.2.23-1.el7_4.x86_64.rpm
postgresql-pltcl-9.2.23-1.el7_4.x86_64.rpm
postgresql-server-9.2.23-1.el7_4.x86_64.rpm
postgresql-test-9.2.23-1.el7_4.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
postgresql-debuginfo-9.2.23-1.el7_4.i686.rpm
postgresql-debuginfo-9.2.23-1.el7_4.x86_64.rpm
postgresql-static-9.2.23-1.el7_4.i686.rpm
postgresql-static-9.2.23-1.el7_4.x86_64.rpm
postgresql-upgrade-9.2.23-1.el7_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-7546
https://access.redhat.com/security/cve/CVE-2017-7547
https://access.redhat.com/security/updates/classification/#moderate
https://www.postgresql.org/about/news/1772/
https://www.postgresql.org/docs/current/static/release-9-2-22.html
https://www.postgresql.org/docs/current/static/release-9-2-23.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZuiwuXlSAg2UNWIIRAlkvAJ4joFKylbKc+8dszF8KRAVEeB8ijQCguwYF
zYss2oTM8gqb+tSzuq0/Q2I=
=5hvU
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F144535)

Gentoo Linux Security Advisory 201710-06 (PacketStormID:F144535)
2017-10-09 00:00:00
Gentoo  security.gentoo.org
advisory,vulnerability
linux,gentoo
CVE-2017-7484,CVE-2017-7485,CVE-2017-7486,CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
[点击下载]

Gentoo Linux Security Advisory 201710-6 - Multiple vulnerabilities have been found in PostgreSQL, the worst of which could result in privilege escalation. Versions less than 9.6.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201710-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: PostgreSQL: Multiple vulnerabilities
     Date: October 08, 2017
     Bugs: #618462, #627462
       ID: 201710-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in PostgreSQL, the worst of
which could result in privilege escalation.

Background
==========

PostgreSQL is an open source object-relational database management
system.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  dev-db/postgresql            < 9.6.4                >= 9.6.4:9.6 
                                                         >= 9.5.8:9.5 
                                                        >= 9.4.13:9.4 
                                                        >= 9.3.18:9.3 
                                                        >= 9.2.22:9.2 

Description
===========

Multiple vulnerabilities have been discovered in PostgreSQL. Please
review the referenced CVE identifiers for details.

Impact
======

A remote attacker could escalate privileges, cause a Denial of Service
condition, obtain passwords, cause a loss in information, or obtain
sensitive information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PostgreSQL 9.6.x users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.4"

All PostgreSQL 9.5.x users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.8"

All PostgreSQL 9.4.x users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.13"

All PostgreSQL 9.3.x users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.18"

All PostgreSQL 9.2.x users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.2.22"

References
==========

[ 1 ] CVE-2017-7484
      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7484
[ 2 ] CVE-2017-7485
      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7485
[ 3 ] CVE-2017-7486
      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7486
[ 4 ] CVE-2017-7546
      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7546
[ 5 ] CVE-2017-7547
      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7547
[ 6 ] CVE-2017-7548
      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7548

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201710-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
    

- 漏洞信息

PostgreSQL CVE-2017-7547 Information Disclosure Vulnerability
Design Error 100275
Yes No
2017-08-10 12:00:00 2017-08-10 12:00:00
Jeff Janes

- 受影响的程序版本

Redhat Software Collections for RHEL 0
Redhat Satellite 5
Redhat Enterprise Linux 7
PostgreSQL PostgreSQL 9.5.7
PostgreSQL PostgreSQL 9.5.6
PostgreSQL PostgreSQL 9.5.4
PostgreSQL PostgreSQL 9.5.1
PostgreSQL PostgreSQL 9.5
PostgreSQL PostgreSQL 9.4.12
PostgreSQL PostgreSQL 9.4.11
PostgreSQL PostgreSQL 9.4.9
PostgreSQL PostgreSQL 9.4.6
PostgreSQL PostgreSQL 9.4.5
PostgreSQL PostgreSQL 9.4.4
PostgreSQL PostgreSQL 9.4.3
PostgreSQL PostgreSQL 9.4.2
PostgreSQL PostgreSQL 9.4.1
PostgreSQL PostgreSQL 9.3.17
PostgreSQL PostgreSQL 9.3.16
PostgreSQL PostgreSQL 9.3.14
PostgreSQL PostgreSQL 9.3.11
PostgreSQL PostgreSQL 9.3.10
PostgreSQL PostgreSQL 9.3.8
PostgreSQL PostgreSQL 9.3.7
PostgreSQL PostgreSQL 9.3.6
PostgreSQL PostgreSQL 9.3.5
PostgreSQL PostgreSQL 9.3.4
PostgreSQL PostgreSQL 9.3.3
PostgreSQL PostgreSQL 9.3.2
PostgreSQL PostgreSQL 9.2.21
PostgreSQL PostgreSQL 9.2.20
PostgreSQL PostgreSQL 9.2.18
PostgreSQL PostgreSQL 9.2.15
PostgreSQL PostgreSQL 9.2.14
PostgreSQL PostgreSQL 9.2.13
PostgreSQL PostgreSQL 9.2.12
PostgreSQL PostgreSQL 9.2.11
PostgreSQL PostgreSQL 9.2.10
PostgreSQL PostgreSQL 9.2.7
PostgreSQL PostgreSQL 9.2.6
PostgreSQL PostgreSQL 9.2.5
PostgreSQL PostgreSQL 9.2.3
PostgreSQL PostgreSQL 9.6.3
PostgreSQL PostgreSQL 9.6.2
PostgreSQL PostgreSQL 9.6.1
PostgreSQL PostgreSQL 9.5.2
PostgreSQL PostgreSQL 9.4
PostgreSQL PostgreSQL 9.3.1
PostgreSQL PostgreSQL 9.3
PostgreSQL PostgreSQL 9.2.4-1
PostgreSQL PostgreSQL 9.2.4
PostgreSQL PostgreSQL 9.2.2-1
PostgreSQL PostgreSQL 9.2.2
PostgreSQL PostgreSQL 9.2.1
PostgreSQL PostgreSQL 9.2
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 ia-30
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
,PostgreSQL PostgreSQL 9.6.4
PostgreSQL PostgreSQL 9.5.8
PostgreSQL PostgreSQL 9.4.13
PostgreSQL PostgreSQL 9.3.18
PostgreSQL PostgreSQL 9.2.22

- 不受影响的程序版本

PostgreSQL PostgreSQL 9.6.4
PostgreSQL PostgreSQL 9.5.8
PostgreSQL PostgreSQL 9.4.13
PostgreSQL PostgreSQL 9.3.18
PostgreSQL PostgreSQL 9.2.22

- 漏洞讨论

PostgreSQL is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.

PostgreSQL 9.2 through 9.6 are vulnerable.

- 漏洞利用

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站