[arch-security] [ASA-201711-17] postgresql: multiple issues
anthraxx at archlinux.org
Fri Nov 10 14:11:39 UTC 2017
Arch Linux Security Advisory ASA-201711-17
Date : 2017-11-10
CVE-ID : CVE-2017-15098 CVE-2017-15099
Package : postgresql
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-485
The package postgresql before version 10.1-1 is vulnerable to multiple
issues including access restriction bypass and information disclosure.
Upgrade to 10.1-1.
# pacman -Syu "postgresql>=10.1-1"
The problems have been fixed upstream in version 10.1.
- CVE-2017-15098 (information disclosure)
A denial of service and potential memory disclosure vulnerability has
been discovered in PostgreSQL in the json_populate_recordset() and
- CVE-2017-15099 (access restriction bypass)
An access restriction bypass vulnerability has been discovered in
PostgreSQL, the "INSERT ... ON CONFLICT DO UPDATE" would not check to
see if the executing user had permission to perform a "SELECT" on the
index performing the conflicting check. Additionally, in a table with
row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE"
would not check the SELECT policies for that table before performing
The fix ensures that "INSERT ... ON CONFLICT DO UPDATE" checks against
table permissions and RLS policies before executing.
A remote attacker is able to bypass access restrictions via certain
queries or possibly leak sensitive information from the running
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 866 bytes
Desc: OpenPGP digital signature
More information about the arch-security