ASA-201709-2 generated external raw

[ASA-201709-2] postgresql: multiple issues
Arch Linux Security Advisory ASA-201709-2 ========================================= Severity: High Date : 2017-09-06 CVE-ID : CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 Package : postgresql Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-381 Summary ======= The package postgresql before version 9.6.4-1 is vulnerable to multiple issues including information disclosure, access restriction bypass and authentication bypass. Resolution ========== Upgrade to 9.6.4-1. # pacman -Syu "postgresql>=9.6.4-1" The problems have been fixed upstream in version 9.6.4. Workaround ========== None. Description =========== - CVE-2017-7546 (authentication bypass) It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. - CVE-2017-7547 (information disclosure) An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. - CVE-2017-7548 (access restriction bypass) An authorization flaw was found in the way PostgreSQL handled large objects. A remote authenticated attacker with no privileges on a large object could potentially use this flaw to overwrite the entire content of the object, thus resulting in denial of service. Impact ====== A remote unauthenticated attacker is be able to gain access to database accounts with empty passwords. Additionally a remote authenticated user may be able to perform a denial of service attack or retrieve passwords from the user mappings. References ========== https://www.postgresql.org/about/news/1772/ https://github.com/postgres/postgres/commit/d5d46d99ba47f https://github.com/postgres/postgres/commit/b6e39ca92eeee4 https://github.com/postgres/postgres/commit/f1cda6d6cbb2 https://security.archlinux.org/CVE-2017-7546 https://security.archlinux.org/CVE-2017-7547 https://security.archlinux.org/CVE-2017-7548