Security update for postgresql93 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1495-1 Final 1 1 2017-06-06T16:41:47Z current 2017-06-06T16:41:47Z 2017-06-06T16:41:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql93 This update for postgresql93 fixes the following issues: The PostgreSQL package was updated to 9.3.17, bringing various bug and security fixes. Security fixes: - CVE-2017-7486: Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1037624) - CVE-2017-7485: Recognize PGREQUIRESSL variable again. (bsc#1038293) - CVE-2017-7484: Prevent exposure of statistical information via leaky operators. (bsc#1037603) More details can be found in the PostgreSQL release announcements: - https://www.postgresql.org/docs/9.3/static/release-9-3-17.html - https://www.postgresql.org/docs/9.3/static/release-9-3-16.html - https://www.postgresql.org/docs/9.3/static/release-9-3-15.html This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-06/msg00012.html E-Mail link for openSUSE-SU-2017:1495-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 postgresql93-9.3.17-5.9.1 postgresql93-contrib-9.3.17-5.9.1 postgresql93-devel-9.3.17-5.9.1 postgresql93-docs-9.3.17-5.9.1 postgresql93-libs-9.3.17-5.9.1 postgresql93-plperl-9.3.17-5.9.1 postgresql93-plpython-9.3.17-5.9.1 postgresql93-pltcl-9.3.17-5.9.1 postgresql93-server-9.3.17-5.9.1 postgresql93-test-9.3.17-5.9.1 postgresql93-9.3.17-5.9.1 as a component of openSUSE Leap 42.2 postgresql93-contrib-9.3.17-5.9.1 as a component of openSUSE Leap 42.2 postgresql93-devel-9.3.17-5.9.1 as a component of openSUSE Leap 42.2 postgresql93-docs-9.3.17-5.9.1 as a component of openSUSE Leap 42.2 postgresql93-libs-9.3.17-5.9.1 as a component of openSUSE Leap 42.2 postgresql93-plperl-9.3.17-5.9.1 as a component of openSUSE Leap 42.2 postgresql93-plpython-9.3.17-5.9.1 as a component of openSUSE Leap 42.2 postgresql93-pltcl-9.3.17-5.9.1 as a component of openSUSE Leap 42.2 postgresql93-server-9.3.17-5.9.1 as a component of openSUSE Leap 42.2 postgresql93-test-9.3.17-5.9.1 as a component of openSUSE Leap 42.2 It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. CVE-2017-7484 openSUSE Leap 42.2:postgresql93-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-contrib-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-devel-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-docs-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-libs-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-plperl-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-plpython-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-pltcl-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-server-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-test-9.3.17-5.9.1 moderate 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-06/msg00012.html https://www.suse.com/security/cve/CVE-2017-7484.html CVE-2017-7484 https://bugzilla.suse.com/1037603 SUSE Bug 1037603 https://bugzilla.suse.com/1051015 SUSE Bug 1051015 In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. CVE-2017-7485 openSUSE Leap 42.2:postgresql93-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-contrib-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-devel-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-docs-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-libs-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-plperl-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-plpython-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-pltcl-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-server-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-test-9.3.17-5.9.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-06/msg00012.html https://www.suse.com/security/cve/CVE-2017-7485.html CVE-2017-7485 https://bugzilla.suse.com/1038293 SUSE Bug 1038293 https://bugzilla.suse.com/1051015 SUSE Bug 1051015 PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server. CVE-2017-7486 openSUSE Leap 42.2:postgresql93-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-contrib-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-devel-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-docs-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-libs-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-plperl-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-plpython-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-pltcl-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-server-9.3.17-5.9.1 openSUSE Leap 42.2:postgresql93-test-9.3.17-5.9.1 moderate 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-06/msg00012.html https://www.suse.com/security/cve/CVE-2017-7486.html CVE-2017-7486 https://bugzilla.suse.com/1037624 SUSE Bug 1037624 https://bugzilla.suse.com/1051015 SUSE Bug 1051015 https://bugzilla.suse.com/1051685 SUSE Bug 1051685