Bug 1477184 (CVE-2017-7546)
| Summary: | CVE-2017-7546 postgresql: Empty password accepted in some authentication methods | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bkearney, cpelland, dajohnso, databases-maint, devrim, gblomqui, ggainey, gmccullo, gtanzill, hhorak, hhudgeon, jfrey, jhardy, jmlich83, jorton, jprause, jstanek, kbost, meissner, mike, noor.mulla, obarenbo, pkubat, praiskup, roliveri, security-response-team, simaishi, tgl, thomas, tlestach |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | postgresql 9.2.22, postgresql 9.3.18, postgresql 9.4.13, postgresql 9.5.8, postgresql 9.6.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:19:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1477694, 1477695, 1480282, 1480283, 1480284, 1484644, 1484645, 1484646, 1484647, 1484648, 1484649, 1484677, 1484678 | ||
| Bug Blocks: | 1477189 | ||
|
Description
Adam Mariš
2017-08-01 12:24:01 UTC
Acknowledgments: Name: the PostgreSQL project Upstream: Ben de Graaff, Jelte Fennema, Jeroen van der Ham External References: https://www.postgresql.org/about/news/1772/ Created mingw-postgresql tracking bugs for this issue: Affects: epel-7 [bug 1480282] Affects: fedora-all [bug 1480283] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 1480284] This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2677 https://access.redhat.com/errata/RHSA-2017:2677 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2678 https://access.redhat.com/errata/RHSA-2017:2678 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2728 https://access.redhat.com/errata/RHSA-2017:2728 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:2860 https://access.redhat.com/errata/RHSA-2017:2860 Statement: Red Hat Satellite 5 are is in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. |