FreeBSD : PostgreSQL vulnerabilities (414c18bf-3653-11e7-9550-6cc21735f730)

Medium Nessus Plugin ID 100141

Synopsis

The remote FreeBSD host is missing one or more security-related
updates.

Description

The PostgreSQL project reports :

Security Fixes nested CASE expressions + database and role names with
embedded special characters

- CVE-2017-7484: selectivity estimators bypass SELECT privilege
checks.

- CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable

- CVE-2017-7486: pg_user_mappings view discloses foreign server
passwords. This applies to new databases, see the release notes for
the procedure to apply the fix to an existing database.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?d375895b

Plugin Details

Severity: Medium

ID: 100141

File Name: freebsd_pkg_414c18bf365311e795506cc21735f730.nasl

Version: 3.4

Type: local

Published: 2017/05/12

Modified: 2018/11/10

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS v3.0

Base Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:postgresql92-client, p-cpe:/a:freebsd:freebsd:postgresql92-server, p-cpe:/a:freebsd:freebsd:postgresql93-client, p-cpe:/a:freebsd:freebsd:postgresql93-server, p-cpe:/a:freebsd:freebsd:postgresql94-client, p-cpe:/a:freebsd:freebsd:postgresql94-server, p-cpe:/a:freebsd:freebsd:postgresql95-client, p-cpe:/a:freebsd:freebsd:postgresql95-server, p-cpe:/a:freebsd:freebsd:postgresql96-client, p-cpe:/a:freebsd:freebsd:postgresql96-server, cpe:/o:freebsd:freebsd

Patch Publication Date: 2017/05/11

Vulnerability Publication Date: 2017/05/11

Reference Information

CVE: CVE-2016-5423, CVE-2016-5424