Debian Security Advisory
DSA-3851-1 postgresql-9.4 -- security update
- Date Reported:
- 12 May 2017
- Affected Packages:
- postgresql-9.4
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2017-7484, CVE-2017-7485, CVE-2017-7486.
- More information:
-
Several vulnerabilities have been found in the PostgreSQL database system:
- CVE-2017-7484
Robert Haas discovered that some selectivity estimators did not validate user privileges which could result in information disclosure.
- CVE-2017-7485
Daniel Gustafsson discovered that the PGREQUIRESSL environment variable did no longer enforce a TLS connection.
- CVE-2017-7486
Andrew Wheelwright discovered that user mappings were insufficiently restricted.
For the stable distribution (jessie), these problems have been fixed in version 9.4.12-0+deb8u1.
We recommend that you upgrade your postgresql-9.4 packages.
- CVE-2017-7484