Alpine: postgresql: security update to 9.5.7-r0

high Tenable Cloud Security Plugin ID 406492

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17,
9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before
providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use
this flaw to steal some information from tables they are otherwise not allowed to access. (CVE-2017-7484)

- In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was
found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a
PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS
protection from a connection between a client and a server. (CVE-2017-7485)

- PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses
foreign server passwords to any user having USAGE privilege on the associated foreign server.
(CVE-2017-7486)

See Also

https://security.alpinelinux.org/vuln/CVE-2017-7484

https://security.alpinelinux.org/vuln/CVE-2017-7485

https://security.alpinelinux.org/vuln/CVE-2017-7486

Plugin Details

Severity: High

ID: 406492

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2017-7486

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/11/2017

Reference Information

CVE: CVE-2017-7484, CVE-2017-7485, CVE-2017-7486

BID: 98459, 98460, 98461

IAVB: 2017-B-0056-S