Debian Security Advisory

DSA-3851-1 postgresql-9.4 -- security update

Date Reported:
12 May 2017
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2017-7484, CVE-2017-7485, CVE-2017-7486.
More information:

Several vulnerabilities have been found in the PostgreSQL database system:

  • CVE-2017-7484

    Robert Haas discovered that some selectivity estimators did not validate user privileges which could result in information disclosure.

  • CVE-2017-7485

    Daniel Gustafsson discovered that the PGREQUIRESSL environment variable did no longer enforce a TLS connection.

  • CVE-2017-7486

    Andrew Wheelwright discovered that user mappings were insufficiently restricted.

For the stable distribution (jessie), these problems have been fixed in version 9.4.12-0+deb8u1.

We recommend that you upgrade your postgresql-9.4 packages.