Univention Bugzilla – Bug 44679
postgresql-9.4: Multiple issues (4.2)
Last modified: 2017-06-28 15:33:38 CEST
Upstream Debian package version 9.1.20-0+deb7u1 fixes these issues: * Some selectivity estimation functions in PostgreSQL do not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. (CVE-2017-7484) * The PGREQUIRESSL environment variable is no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. (CVE-2017-7485) * Information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server. (CVE-2017-7486)
That's upstream Debian package version 9.4.12-0+deb8u1
Imported from Debian Jessie-secuirty through Bug #44451 YAML: ucs-4.2-0@80050 r80092 | Bug #44679: PostgreSQL-9.4 YAML
I've installed univention-postgresql and updated. * Package imported and built in errata4.2-0 * I've moved and updated the advisory to errata4.2-1 * Advisory content ok * Package update ok
<http://errata.software-univention.de/ucs/4.2/61.html>