ALAS-2017-838

Description

Selectivity estimators bypass SELECT privilege checksIt was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. (CVE-2017-7484 )pg_user_mappings view discloses foreign server passwordsIt was found that the pg_user_mappings view from postgresql could disclose information about user mappings to a foreign database to unprivileged users. An authenticated attacker with USAGE privilege for this mapping could, when querying the view, obtain user mapping data, such as the username and password used to connect to the foreign database. (CVE-2017-7486 )

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in
postgresql92 postgresql92-9.2.21-1.60.amzn1.i686
postgresql92 postgresql92-9.2.21-1.60.amzn1.x86_64
postgresql92 postgresql92-9.2.21-1.60.amzn1.src
postgresql92-contrib postgresql92-contrib-9.2.21-1.60.amzn1.i686
postgresql92-contrib postgresql92-contrib-9.2.21-1.60.amzn1.x86_64
postgresql92-debuginfo postgresql92-debuginfo-9.2.21-1.60.amzn1.x86_64
postgresql92-debuginfo postgresql92-debuginfo-9.2.21-1.60.amzn1.i686
postgresql92-devel postgresql92-devel-9.2.21-1.60.amzn1.i686
postgresql92-devel postgresql92-devel-9.2.21-1.60.amzn1.x86_64
postgresql92-docs postgresql92-docs-9.2.21-1.60.amzn1.i686
postgresql92-docs postgresql92-docs-9.2.21-1.60.amzn1.x86_64
postgresql92-libs postgresql92-libs-9.2.21-1.60.amzn1.i686
postgresql92-libs postgresql92-libs-9.2.21-1.60.amzn1.x86_64
postgresql92-plperl postgresql92-plperl-9.2.21-1.60.amzn1.i686
postgresql92-plperl postgresql92-plperl-9.2.21-1.60.amzn1.x86_64
postgresql92-plpython26 postgresql92-plpython26-9.2.21-1.60.amzn1.x86_64
postgresql92-plpython26 postgresql92-plpython26-9.2.21-1.60.amzn1.i686
postgresql92-plpython27 postgresql92-plpython27-9.2.21-1.60.amzn1.x86_64
postgresql92-plpython27 postgresql92-plpython27-9.2.21-1.60.amzn1.i686
postgresql92-pltcl postgresql92-pltcl-9.2.21-1.60.amzn1.x86_64
postgresql92-pltcl postgresql92-pltcl-9.2.21-1.60.amzn1.i686
postgresql92-server postgresql92-server-9.2.21-1.60.amzn1.x86_64
postgresql92-server postgresql92-server-9.2.21-1.60.amzn1.i686
postgresql92-server-compat postgresql92-server-compat-9.2.21-1.60.amzn1.x86_64
postgresql92-server-compat postgresql92-server-compat-9.2.21-1.60.amzn1.i686
postgresql92-test postgresql92-test-9.2.21-1.60.amzn1.i686
postgresql92-test postgresql92-test-9.2.21-1.60.amzn1.x86_64