==========================================================================
Ubuntu Security Notice USN-3390-1
August 15, 2017
postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 17.04
– Ubuntu 16.04 LTS
– Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in PostgreSQL.
Software Description:
– postgresql-9.6: object-relational SQL database
– postgresql-9.5: Object-relational SQL database
– postgresql-9.3: Object-relational SQL database
Details:
Ben de Graaff, Jelte Fennema, and Jeroen van der Ham discovered that
PostgreSQL allowed the use of empty passwords in some authentication
methods, contrary to expected behaviour. A remote attacker could use an
empty password to authenticate to servers that were believed to have
password login disabled. (CVE-2017-7546)
Jeff Janes discovered that PostgreSQL incorrectly handled the
pg_user_mappings catalog view. A remote attacker without server privileges
could possibly use this issue to obtain certain passwords. (CVE-2017-7547)
Chapman Flack discovered that PostgreSQL incorrectly handled lo_put()
permissions. A remote attacker could possibly use this issue to change the
data in a large object. (CVE-2017-7548)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
postgresql-9.6 9.6.4-0ubuntu0.17.04.1
Ubuntu 16.04 LTS:
postgresql-9.5 9.5.8-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
postgresql-9.3 9.3.18-0ubuntu0.14.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3390-1
CVE-2017-7546, CVE-2017-7547, CVE-2017-7548
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-9.6/9.6.4-0ubuntu0.17.04.1
https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.8-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/postgresql-9.3/9.3.18-0ubuntu0.14.04.1
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2
iQIcBAEBCgAGBQJZkzC8AAoJEGVp2FWnRL6TkfsQAI6jVG/kXKbP6GRbiGas/Jiq
iHYrvGT8WSkj91SNAuOlp4wASwRSgH+G1mIOTqq5DmY0vld1ZgKdFXBNhEfLsuC2
SIYpjlDnKeUkM1B3RmUx3/xKpIq+0PjNFI6lr994NGPLlv/GfwuFUoc5a14OM15A
LbBCoDe5+PNBqRJXYVPUJK3Bufj2t6o2eHlCriuPJiHJFe2NtL7sUFyWnpOKhu+i
7tprw+PSS+4EaFfyOBB/nvKxrNPqhEYp6u7Arur8zQhO1IyicEoSWbNv9H07j4Yq
jSisQoY4rFCvDB8rrC+4RoqKElr6pLQDgwEoeigJPK3Chz7sEFpzWX3uC3GR8PcM
fdeq8DBl9VyFvFHf6/gmVUwUue+frpo9epbwILMBjbBpwUCdXkBNFJ5jCRLfFcI8
niXx1jGh+MooEvGyQ16Cidu2d9/VAMaCOOFw/1QXIHELr8Vg4xyFqQ+6I86s7YfI
pBYxF7BJbFzw6CqFWGXp5hpEi9bq6GPRxAjC21CWjZVpCnboEW9jboZp7UhbHiWH
cu5eKegYgADiSvUb5XNpCT8mxibfp3YzIam5hogqwyDSSxmfkQzzFhSDYM298HpT
cB6aaTP/UUNyVk6ygMCQn/t9OWP4CzaBmJ4ycUEGXd2G67wbWIBEn00vfu9xgTN2
d7nvyJ5vmMRB2Srm1IYS
=h8x+
—–END PGP SIGNATURE—–
—