Security Information / 2017 / Security Information -- DSA-3851-1 postgresql-9.4

Debian Security Advisory

DSA-3851-1 postgresql-9.4 -- security update

Date Reported:

12 May 2017

Affected Packages:

postgresql-9.4

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2017-7484, CVE-2017-7485, CVE-2017-7486.

More information:

Several vulnerabilities have been found in the PostgreSQL database system:

• CVE-2017-7484

  Robert Haas discovered that some selectivity estimators did not validate user privileges which could result in information disclosure.

• CVE-2017-7485

  Daniel Gustafsson discovered that the PGREQUIRESSL environment variable did no longer enforce a TLS connection.

• CVE-2017-7486

  Andrew Wheelwright discovered that user mappings were insufficiently restricted.

For the stable distribution (jessie), these problems have been fixed in version 9.4.12-0+deb8u1.

We recommend that you upgrade your postgresql-9.4 packages.