Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618462 (CVE-2017-7484, CVE-2017-7485, CVE-2017-7486) - <dev-db/postgresql-{9.2.21,9.3.17,9.4.12,9.5.7}: multiple vulnerabilities (CVE-2017-{7484,7485,7486})
Summary: <dev-db/postgresql-{9.2.21,9.3.17,9.4.12,9.5.7}: multiple vulnerabilities (CV...
Status: RESOLVED FIXED
Alias: CVE-2017-7484, CVE-2017-7485, CVE-2017-7486
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.postgresql.org/about/news...
Whiteboard: B3 [glsa glsa cve]
Keywords: STABLEREQ
Depends on: CVE-2017-7546, CVE-2017-7547, CVE-2017-7548
Blocks:
  Show dependency tree
 
Reported: 2017-05-14 17:30 UTC by Agostino Sarubbo
Modified: 2018-07-28 18:52 UTC (History)
2 users (show)

See Also:
Package list:
=app-eselect/eselect-postgresql-2.1 =dev-db/postgresql-9.2.21 =dev-db/postgresql-9.3.17 =dev-db/postgresql-9.4.12 =dev-db/postgresql-9.5.7
Runtime testing required: No
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-14 17:30:50 UTC 
From ${URL} :

Three security vulnerabilities have been closed by this release:

CVE-2017-7484: selectivity estimators bypass SELECT privilege checks
CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable
CVE-2017-7486: pg_user_mappings view discloses foreign server passwords
The fix for CVE-2017-7486 applies to new databases, see the release notes for the procedure to apply the fix to an existing database.

Any user relying on the PGREQUIRESSL environment variable is encouraged to use the sslmode connection string option, as use of PGREQUIRESSL 
is deprecated. CVE-2017-7485 does not affect the 9.2 series. For more information on these issues and how they affect 
backwards-compatibility, see the Release Notes.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron W. Swenson gentoo-dev 2017-05-19 15:02:05 UTC 
Here are the stabilization targets:

=app-eselect/eselect-postgresql-2.1 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.2.21 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.3.17 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.12 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.7 ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86

While app-eselect/eselect-postgresql-2.1 was just added today, it was to fix the only bug open against 2.0 (which is the minimum these ebuilds require) since it was introduced a over a month ago.

As has been mentioned on previous bugs, 9.5 on up is excluded from Alpha stabilization given upstream dropping support specific to that architecture.
Comment 2 Agostino Sarubbo gentoo-dev 2017-05-20 08:49:43 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-05-20 09:35:56 UTC 
x86 stable
Comment 4 Michael Weber (RETIRED) gentoo-dev 2017-05-22 09:36:04 UTC 
ppc ppc64 stable.
Comment 5 Agostino Sarubbo gentoo-dev 2017-05-22 11:41:37 UTC 
sparc stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-05-22 13:26:41 UTC 
Stable on alpha.
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-05-22 16:12:37 UTC 
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2017-06-01 04:43:31 UTC 
arm stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-06-08 23:39:57 UTC 
CVE-2017-7486 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7486):
  PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in
  pg_user_mappings view which discloses foreign server passwords to any user
  having USAGE privilege on the associated foreign server.

CVE-2017-7485 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7485):
  In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7,
  and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment
  variable was no longer enforcing a SSL/TLS connection to a PostgreSQL
  server. An active Man-in-the-Middle attacker could use this flaw to strip
  the SSL/TLS protection from a connection between a client and a server.

CVE-2017-7484 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7484):
  It was found that some selectivity estimation functions in PostgreSQL before
  9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and
  9.6.x before 9.6.3 did not check user privileges before providing
  information from pg_statistic, possibly leaking information. An unprivileged
  attacker could use this flaw to steal some information from tables they are
  otherwise not allowed to access.
Comment 10 Agostino Sarubbo gentoo-dev 2017-06-10 15:18:38 UTC 
ia64 stable
Comment 11 Aaron W. Swenson gentoo-dev 2017-07-21 19:21:01 UTC 
@hppa ping
Comment 12 Aaron W. Swenson gentoo-dev 2017-08-10 15:22:46 UTC 
Stabilization work now to be done on bug 627462.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2017-10-02 06:12:06 UTC 
GLSA Vote: Yes
Added to an existing GLSA Request.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-10-08 13:56:34 UTC 
This issue was resolved and addressed in
 GLSA 201710-06 at https://security.gentoo.org/glsa/201710-06
by GLSA coordinator Aaron Bauman (b-man).