Subject: [ASA-201711-18] postgresql-old-upgrade: multiple issues Arch Linux Security Advisory ASA-201711-18 ========================================== Severity: Medium Date : 2017-11-10 CVE-ID : CVE-2017-15098 CVE-2017-15099 Package : postgresql-old-upgrade Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-486 Summary ======= The package postgresql-old-upgrade before version 9.6.6-1 is vulnerable to multiple issues including access restriction bypass and information disclosure. Resolution ========== Upgrade to 9.6.6-1. # pacman -Syu "postgresql-old-upgrade>=9.6.6-1" The problems have been fixed upstream in version 9.6.6. Workaround ========== None. Description =========== - CVE-2017-15098 (information disclosure) A denial of service and potential memory disclosure vulnerability has been discovered in PostgreSQL in the json_populate_recordset() and jsonb_populate_recordset() functions. - CVE-2017-15099 (access restriction bypass) An access restriction bypass vulnerability has been discovered in PostgreSQL, the "INSERT ... ON CONFLICT DO UPDATE" would not check to see if the executing user had permission to perform a "SELECT" on the index performing the conflicting check. Additionally, in a table with row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE" would not check the SELECT policies for that table before performing the update. The fix ensures that "INSERT ... ON CONFLICT DO UPDATE" checks against table permissions and RLS policies before executing. Impact ====== A remote attacker is able to bypass access restrictions via certain queries or possibly leak sensitive information from the running process. References ========== https://www.postgresql.org/about/news/1801/ https://security.archlinux.org/CVE-2017-15098 https://security.archlinux.org/CVE-2017-15099