Leaky PostgreSQL passwords plugged

DBAs: strap on your patching boots. Every DB in your clusters needs work

PostgreSQL has released three security patches for versions 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22.

In CVE-2017-7547, a remote attacker can retrieve others' passwords because of a user mapping bug.

The authorisation oopsie derives from the database's handling of pg_user_mappings, allowing an authenticated remote attacker retrieve passwords from user mappings defined by the server owner – all the way up to passwords set by the server admin.

Settle in with lots of coffee, sysadmins: after fetching the patch, there's a set of fix commands that have to be run on every database in a cluster.

In CVE-2017-7546, the server accepts empty passwords, as explained by Adam Mari? here:

“Several authentication methods, including the widely-used 'md5' method, permit empty passwords. On the client side, libpq will not send an empty password. This may have given a false impression that an empty password was equivalent to disabling the account with respect to authentication methods requiring a password. On the contrary, an attacker could easily authenticate as the user.”

In CVE-2017-7548, there's a fix to the database's lo_put() function, which had a missing permission check that allowed “any user to change the data in a large object”.

The PostgreSQL note about the bug outlines 50 other fixes for bugs reported in the last three months, and reminds users that Version 9.2 will move to the end-of-life list in September. ?


Biting the hand that feeds IT ? 1998–2017

                                    1. 3239961348 2018-02-21
                                    2. 8189611347 2018-02-21
                                    3. 1166571346 2018-02-21
                                    4. 905911345 2018-02-21
                                    5. 238301344 2018-02-21
                                    6. 9856121343 2018-02-21
                                    7. 7107891342 2018-02-21
                                    8. 616201341 2018-02-21
                                    9. 97671340 2018-02-21
                                    10. 7844621339 2018-02-21
                                    11. 9607131338 2018-02-21
                                    12. 3095441337 2018-02-21
                                    13. 9602111336 2018-02-21
                                    14. 5723751335 2018-02-21
                                    15. 1275371334 2018-02-21
                                    16. 8517591333 2018-02-21
                                    17. 230661332 2018-02-21
                                    18. 3311101331 2018-02-21
                                    19. 6181321330 2018-02-20
                                    20. 6139401329 2018-02-20