ALAS-2017-839

Description

Selectivity estimators bypass SELECT privilege checksIt was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. (CVE-2017-7484 )libpq ignores PGREQUIRESSL environment variableIt was found that the PGREQUIRESSL was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. (CVE-2017-7485 )pg_user_mappings view discloses foreign server passwordsIt was found that the pg_user_mappings view from postgresql could disclose information about user mappings to a foreign database to unprivileged users. An authenticated attacker with USAGE privilege for this mapping could, when querying the view, obtain user mapping data, such as the username and password used to connect to the foreign database. (CVE-2017-7486 )

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in
postgresql93 postgresql93-9.3.17-1.63.amzn1.src
postgresql93 postgresql93-9.3.17-1.63.amzn1.x86_64
postgresql93 postgresql93-9.3.17-1.63.amzn1.i686
postgresql93-contrib postgresql93-contrib-9.3.17-1.63.amzn1.x86_64
postgresql93-contrib postgresql93-contrib-9.3.17-1.63.amzn1.i686
postgresql93-debuginfo postgresql93-debuginfo-9.3.17-1.63.amzn1.x86_64
postgresql93-debuginfo postgresql93-debuginfo-9.3.17-1.63.amzn1.i686
postgresql93-devel postgresql93-devel-9.3.17-1.63.amzn1.i686
postgresql93-devel postgresql93-devel-9.3.17-1.63.amzn1.x86_64
postgresql93-docs postgresql93-docs-9.3.17-1.63.amzn1.x86_64
postgresql93-docs postgresql93-docs-9.3.17-1.63.amzn1.i686
postgresql93-libs postgresql93-libs-9.3.17-1.63.amzn1.i686
postgresql93-libs postgresql93-libs-9.3.17-1.63.amzn1.x86_64
postgresql93-plperl postgresql93-plperl-9.3.17-1.63.amzn1.i686
postgresql93-plperl postgresql93-plperl-9.3.17-1.63.amzn1.x86_64
postgresql93-plpython26 postgresql93-plpython26-9.3.17-1.63.amzn1.i686
postgresql93-plpython26 postgresql93-plpython26-9.3.17-1.63.amzn1.x86_64
postgresql93-plpython27 postgresql93-plpython27-9.3.17-1.63.amzn1.x86_64
postgresql93-plpython27 postgresql93-plpython27-9.3.17-1.63.amzn1.i686
postgresql93-pltcl postgresql93-pltcl-9.3.17-1.63.amzn1.x86_64
postgresql93-pltcl postgresql93-pltcl-9.3.17-1.63.amzn1.i686
postgresql93-server postgresql93-server-9.3.17-1.63.amzn1.x86_64
postgresql93-server postgresql93-server-9.3.17-1.63.amzn1.i686
postgresql93-test postgresql93-test-9.3.17-1.63.amzn1.i686
postgresql93-test postgresql93-test-9.3.17-1.63.amzn1.x86_64
postgresql94 postgresql94-9.4.12-1.68.amzn1.src
postgresql94 postgresql94-9.4.12-1.68.amzn1.i686
postgresql94 postgresql94-9.4.12-1.68.amzn1.x86_64
postgresql94-contrib postgresql94-contrib-9.4.12-1.68.amzn1.x86_64
postgresql94-contrib postgresql94-contrib-9.4.12-1.68.amzn1.i686
postgresql94-debuginfo postgresql94-debuginfo-9.4.12-1.68.amzn1.i686
postgresql94-debuginfo postgresql94-debuginfo-9.4.12-1.68.amzn1.x86_64
postgresql94-devel postgresql94-devel-9.4.12-1.68.amzn1.x86_64
postgresql94-devel postgresql94-devel-9.4.12-1.68.amzn1.i686
postgresql94-docs postgresql94-docs-9.4.12-1.68.amzn1.i686
postgresql94-docs postgresql94-docs-9.4.12-1.68.amzn1.x86_64
postgresql94-libs postgresql94-libs-9.4.12-1.68.amzn1.i686
postgresql94-libs postgresql94-libs-9.4.12-1.68.amzn1.x86_64
postgresql94-plperl postgresql94-plperl-9.4.12-1.68.amzn1.x86_64
postgresql94-plperl postgresql94-plperl-9.4.12-1.68.amzn1.i686
postgresql94-plpython26 postgresql94-plpython26-9.4.12-1.68.amzn1.i686
postgresql94-plpython26 postgresql94-plpython26-9.4.12-1.68.amzn1.x86_64
postgresql94-plpython27 postgresql94-plpython27-9.4.12-1.68.amzn1.i686
postgresql94-plpython27 postgresql94-plpython27-9.4.12-1.68.amzn1.x86_64
postgresql94-server postgresql94-server-9.4.12-1.68.amzn1.i686
postgresql94-server postgresql94-server-9.4.12-1.68.amzn1.x86_64
postgresql94-test postgresql94-test-9.4.12-1.68.amzn1.x86_64
postgresql94-test postgresql94-test-9.4.12-1.68.amzn1.i686
postgresql95 postgresql95-9.5.7-1.72.amzn1.x86_64
postgresql95 postgresql95-9.5.7-1.72.amzn1.src
postgresql95 postgresql95-9.5.7-1.72.amzn1.i686
postgresql95-contrib postgresql95-contrib-9.5.7-1.72.amzn1.i686
postgresql95-contrib postgresql95-contrib-9.5.7-1.72.amzn1.x86_64
postgresql95-debuginfo postgresql95-debuginfo-9.5.7-1.72.amzn1.x86_64
postgresql95-debuginfo postgresql95-debuginfo-9.5.7-1.72.amzn1.i686
postgresql95-devel postgresql95-devel-9.5.7-1.72.amzn1.x86_64
postgresql95-devel postgresql95-devel-9.5.7-1.72.amzn1.i686
postgresql95-docs postgresql95-docs-9.5.7-1.72.amzn1.x86_64
postgresql95-docs postgresql95-docs-9.5.7-1.72.amzn1.i686
postgresql95-libs postgresql95-libs-9.5.7-1.72.amzn1.x86_64
postgresql95-libs postgresql95-libs-9.5.7-1.72.amzn1.i686
postgresql95-plperl postgresql95-plperl-9.5.7-1.72.amzn1.x86_64
postgresql95-plperl postgresql95-plperl-9.5.7-1.72.amzn1.i686
postgresql95-plpython26 postgresql95-plpython26-9.5.7-1.72.amzn1.i686
postgresql95-plpython26 postgresql95-plpython26-9.5.7-1.72.amzn1.x86_64
postgresql95-plpython27 postgresql95-plpython27-9.5.7-1.72.amzn1.i686
postgresql95-plpython27 postgresql95-plpython27-9.5.7-1.72.amzn1.x86_64
postgresql95-server postgresql95-server-9.5.7-1.72.amzn1.i686
postgresql95-server postgresql95-server-9.5.7-1.72.amzn1.x86_64
postgresql95-static postgresql95-static-9.5.7-1.72.amzn1.x86_64
postgresql95-static postgresql95-static-9.5.7-1.72.amzn1.i686
postgresql95-test postgresql95-test-9.5.7-1.72.amzn1.x86_64
postgresql95-test postgresql95-test-9.5.7-1.72.amzn1.i686