MGASA-2017-0428

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2017-0428.html

Import Source

https://advisories.mageia.org/MGASA-2017-0428.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2017-0428

Related

Published

2017-11-29T18:52:42Z

Modified

2017-11-29T18:22:44Z

Summary

Updated postgresql packages fix security vulnerabilities

Details

The startup log file for the postmaster (in newer releases, "postgres") process was opened while the process was still owned by root. With this setup, the database owner could specify a file that they did not have access to and cause the file to be corrupted with logged data (CVE-2017-12172).

Crash due to rowtype mismatch in json{b}populaterecordset(). These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well (CVE-2017-15098).

The "INSERT ... ON CONFLICT DO UPDATE" would not check to see if the executing user had permission to perform a "SELECT" on the index performing the conflicting check. Additionally, in a table with row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE" would not check the SELECT policies for that table before performing the update (CVE-2017-15099).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / postgresql9.3

Package

Name: postgresql9.3
Purl: pkg:rpm/mageia/postgresql9.3?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.3.20-1.mga5

Ecosystem specific

{
    "section": "core"
}

Mageia:5 / postgresql9.4

Package

Name: postgresql9.4
Purl: pkg:rpm/mageia/postgresql9.4?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.15-1.mga5

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / postgresql9.4

Package

Name: postgresql9.4
Purl: pkg:rpm/mageia/postgresql9.4?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.15-1.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / postgresql9.6

Package

Name: postgresql9.6
Purl: pkg:rpm/mageia/postgresql9.6?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.6.6-1.mga6

Ecosystem specific

{
    "section": "core"
}