Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2017-0316)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.1.10.2017.0316

Kategorie: Mageia Linux Local Security Checks

Titel: Mageia: Security Advisory (MGASA-2017-0316)

Zusammenfassung: The remote host is missing an update for the 'postgresql9.3, postgresql9.4, postgresql9.6' package(s) announced via the MGASA-2017-0316 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'postgresql9.3, postgresql9.4, postgresql9.6' package(s) announced via the MGASA-2017-0316 advisory.

Vulnerability Insight:
libpq, and by extension any connection driver that utilizes libpq,
ignores empty passwords and does not transmit them to the server. When
using libpq or a libpq-based connection driver to perform password-based
authentication methods, it would appear that setting an empty password
would be the equivalent of disabling password login. However, using a
non-libpq based connection driver could allow a client with an empty
password to log in (CVE-2017-7546).

A user had access to see the options in pg_user_mappings even if the
user did not have the USAGE permission on the associated foreign server.
This meant that a user could see details such as a password that might
have been set by the server administrator rather than the user
(CVE-2017-7547).

The lo_put() function should require the same permissions as lowrite(),
but there was a missing permission check which would allow any user to
change the data in a large object (CVE-2017-7548).

Note: the CVE-2017-7547 issue requires manual intervention to fix on
affected systems. See the references for details.

Affected Software/OS:
'postgresql9.3, postgresql9.4, postgresql9.6' package(s) on Mageia 5, Mageia 6.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2017-7546
BugTraq ID: 100278
http://www.securityfocus.com/bid/100278
Debian Security Information: DSA-3935 (Google Search)
http://www.debian.org/security/2017/dsa-3935
Debian Security Information: DSA-3936 (Google Search)
http://www.debian.org/security/2017/dsa-3936
https://security.gentoo.org/glsa/201710-06
RedHat Security Advisories: RHSA-2017:2677
https://access.redhat.com/errata/RHSA-2017:2677
RedHat Security Advisories: RHSA-2017:2678
https://access.redhat.com/errata/RHSA-2017:2678
RedHat Security Advisories: RHSA-2017:2728
https://access.redhat.com/errata/RHSA-2017:2728
RedHat Security Advisories: RHSA-2017:2860
https://access.redhat.com/errata/RHSA-2017:2860
http://www.securitytracker.com/id/1039142
Common Vulnerability Exposure (CVE) ID: CVE-2017-7547
BugTraq ID: 100275
http://www.securityfocus.com/bid/100275
Common Vulnerability Exposure (CVE) ID: CVE-2017-7548
BugTraq ID: 100276
http://www.securityfocus.com/bid/100276

Copyright Copyright (C) 2022 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.1.10.2017.0316
Kategorie:	Mageia Linux Local Security Checks
Titel:	Mageia: Security Advisory (MGASA-2017-0316)
Zusammenfassung:	The remote host is missing an update for the 'postgresql9.3, postgresql9.4, postgresql9.6' package(s) announced via the MGASA-2017-0316 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'postgresql9.3, postgresql9.4, postgresql9.6' package(s) announced via the MGASA-2017-0316 advisory. Vulnerability Insight: libpq, and by extension any connection driver that utilizes libpq, ignores empty passwords and does not transmit them to the server. When using libpq or a libpq-based connection driver to perform password-based authentication methods, it would appear that setting an empty password would be the equivalent of disabling password login. However, using a non-libpq based connection driver could allow a client with an empty password to log in (CVE-2017-7546). A user had access to see the options in pg_user_mappings even if the user did not have the USAGE permission on the associated foreign server. This meant that a user could see details such as a password that might have been set by the server administrator rather than the user (CVE-2017-7547). The lo_put() function should require the same permissions as lowrite(), but there was a missing permission check which would allow any user to change the data in a large object (CVE-2017-7548). Note: the CVE-2017-7547 issue requires manual intervention to fix on affected systems. See the references for details. Affected Software/OS: 'postgresql9.3, postgresql9.4, postgresql9.6' package(s) on Mageia 5, Mageia 6. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2017-7546 BugTraq ID: 100278 http://www.securityfocus.com/bid/100278 Debian Security Information: DSA-3935 (Google Search) http://www.debian.org/security/2017/dsa-3935 Debian Security Information: DSA-3936 (Google Search) http://www.debian.org/security/2017/dsa-3936 https://security.gentoo.org/glsa/201710-06 RedHat Security Advisories: RHSA-2017:2677 https://access.redhat.com/errata/RHSA-2017:2677 RedHat Security Advisories: RHSA-2017:2678 https://access.redhat.com/errata/RHSA-2017:2678 RedHat Security Advisories: RHSA-2017:2728 https://access.redhat.com/errata/RHSA-2017:2728 RedHat Security Advisories: RHSA-2017:2860 https://access.redhat.com/errata/RHSA-2017:2860 http://www.securitytracker.com/id/1039142 Common Vulnerability Exposure (CVE) ID: CVE-2017-7547 BugTraq ID: 100275 http://www.securityfocus.com/bid/100275 Common Vulnerability Exposure (CVE) ID: CVE-2017-7548 BugTraq ID: 100276 http://www.securityfocus.com/bid/100276
Copyright	Copyright (C) 2022 Greenbone AG