{"id":"MGASA-2017-0316","summary":"Updated postgresql9.3/4/6 packages fix security vulnerabilities","details":"libpq, and by extension any connection driver that utilizes libpq,\nignores empty passwords and does not transmit them to the server. When\nusing libpq or a libpq-based connection driver to perform password-based\nauthentication methods, it would appear that setting an empty password\nwould be the equivalent of disabling password login. However, using a\nnon-libpq based connection driver could allow a client with an empty\npassword to log in (CVE-2017-7546).\n\nA user had access to see the options in pg_user_mappings even if the\nuser did not have the USAGE permission on the associated foreign server.\nThis meant that a user could see details such as a password that might\nhave been set by the server administrator rather than the user\n(CVE-2017-7547).\n\nThe lo_put() function should require the same permissions as lowrite(),\nbut there was a missing permission check which would allow any user to\nchange the data in a large object (CVE-2017-7548).\n\nNote: the CVE-2017-7547 issue requires manual intervention to fix on\naffected systems.  See the references for details.\n","modified":"2026-04-16T06:26:19.835109363Z","published":"2017-08-28T08:14:39Z","upstream":["CVE-2017-7546","CVE-2017-7547","CVE-2017-7548"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2017-0316.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=21496"},{"type":"WEB","url":"http://www.postgresql.org/docs/current/static/release-9-3-18.html"},{"type":"WEB","url":"http://www.postgresql.org/docs/current/static/release-9-4-13.html"},{"type":"WEB","url":"https://www.postgresql.org/docs/current/static/release-9-6-4.html"},{"type":"WEB","url":"https://www.postgresql.org/about/news/1772/"}],"affected":[{"package":{"name":"postgresql9.3","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/postgresql9.3?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.3.18-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0316.json"}},{"package":{"name":"postgresql9.4","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/postgresql9.4?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.4.13-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0316.json"}},{"package":{"name":"postgresql9.4","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/postgresql9.4?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.4.13-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0316.json"}},{"package":{"name":"postgresql9.6","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/postgresql9.6?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.6.4-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0316.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}