[manjaro-security] [arch-security] [ASA-201711-18] postgresql-old-upgrade: multiple issues
anthraxx at archlinux.org
Fri Nov 10 15:12:28 CET 2017
Arch Linux Security Advisory ASA-201711-18
Date : 2017-11-10
CVE-ID : CVE-2017-15098 CVE-2017-15099
Package : postgresql-old-upgrade
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-486
The package postgresql-old-upgrade before version 9.6.6-1 is vulnerable
to multiple issues including access restriction bypass and information
Upgrade to 9.6.6-1.
# pacman -Syu "postgresql-old-upgrade>=9.6.6-1"
The problems have been fixed upstream in version 9.6.6.
- CVE-2017-15098 (information disclosure)
A denial of service and potential memory disclosure vulnerability has
been discovered in PostgreSQL in the json_populate_recordset() and
- CVE-2017-15099 (access restriction bypass)
An access restriction bypass vulnerability has been discovered in
PostgreSQL, the "INSERT ... ON CONFLICT DO UPDATE" would not check to
see if the executing user had permission to perform a "SELECT" on the
index performing the conflicting check. Additionally, in a table with
row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE"
would not check the SELECT policies for that table before performing
The fix ensures that "INSERT ... ON CONFLICT DO UPDATE" checks against
table permissions and RLS policies before executing.
A remote attacker is able to bypass access restrictions via certain
queries or possibly leak sensitive information from the running
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 866 bytes
Desc: OpenPGP digital signature
More information about the manjaro-security