ASA-201711-17 generated external raw

[ASA-201711-17] postgresql: multiple issues
Arch Linux Security Advisory ASA-201711-17 ========================================== Severity: Medium Date : 2017-11-10 CVE-ID : CVE-2017-15098 CVE-2017-15099 Package : postgresql Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-485 Summary ======= The package postgresql before version 10.1-1 is vulnerable to multiple issues including access restriction bypass and information disclosure. Resolution ========== Upgrade to 10.1-1. # pacman -Syu "postgresql>=10.1-1" The problems have been fixed upstream in version 10.1. Workaround ========== None. Description =========== - CVE-2017-15098 (information disclosure) A denial of service and potential memory disclosure vulnerability has been discovered in PostgreSQL in the json_populate_recordset() and jsonb_populate_recordset() functions. - CVE-2017-15099 (access restriction bypass) An access restriction bypass vulnerability has been discovered in PostgreSQL, the "INSERT ... ON CONFLICT DO UPDATE" would not check to see if the executing user had permission to perform a "SELECT" on the index performing the conflicting check. Additionally, in a table with row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE" would not check the SELECT policies for that table before performing the update. The fix ensures that "INSERT ... ON CONFLICT DO UPDATE" checks against table permissions and RLS policies before executing. Impact ====== A remote attacker is able to bypass access restrictions via certain queries or possibly leak sensitive information from the running process. References ========== https://www.postgresql.org/about/news/1801/ https://security.archlinux.org/CVE-2017-15098 https://security.archlinux.org/CVE-2017-15099