ASA-201705-23 generated external raw

[ASA-201705-23] postgresql: information disclosure
Arch Linux Security Advisory ASA-201705-23 ========================================== Severity: Medium Date : 2017-05-30 CVE-ID : CVE-2017-7484 CVE-2017-7486 Package : postgresql Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-272 Summary ======= The package postgresql before version 9.6.3-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 9.6.3-1. # pacman -Syu "postgresql>=9.6.3-1" The problems have been fixed upstream in version 9.6.3. Workaround ========== None. Description =========== - CVE-2017-7484 (information disclosure) A security issue has been found in PostgreSQL < 9.6.3, where some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. - CVE-2017-7486 (information disclosure) A security issue has been found in PostgreSQL < 9.6.3, where the pg_user_mappings view disclosed user mapping options to any user having USAGE privilege on the associated foreign server, including the password. An attacker could then use the password to run arbitrary queries against the server or others accepting the same credentials, not just the limited queries one can issue via foreign tables. Impact ====== An unprivileged, authenticated attacker can access sensitive information on the vulnerable server. References ========== https://www.postgresql.org/about/news/1746/ https://security.archlinux.org/CVE-2017-7484 https://security.archlinux.org/CVE-2017-7486