Univention Bugzilla – Bug 45236
postgresql-9.1: Multiple issues (4.1)
Last modified: 2017-08-30 16:39:05 CEST
Upstream Debian package version 9.1.24-0+deb7u1 fixes these issues: * In some authentication methods empty passwords were accepted (CVE-2017-7546) * User mappings could leak data to unprivileged users (CVE-2017-7547) * The lo_put() function ignored ACLs (CVE-2017-7548)
That's 9.1.24lts2-0+deb7u1
Built with fixed version number 9.1.24-0.13.201708211620 to stay below UCS 4.2. To make that possible I had to rebuild the source-package first to adjust the version number from 9.1.24lts2-0+deb7u1 to 9.1.24-0+deb7u2~lts2. CVE-2017-7548 has not been fixed. Instead this one: * Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (CVE-2017-7486) Advisory: postgresql-9.1.yaml
<http://errata.software-univention.de/ucs/4.1/475.html>
Something strange happened to this bug, reverting state to Resolved. It's neither been verified nor released yet.
OK: apt-get install univention-postgresql OK: apt-get upgrade OK: Upgrade 9.1 -> 9.4, reboot OK: errata-announce -V --only postgresql-9.?.yaml OK: postgresql-9.?.yaml