It was reported [1] that a user having the INSERT, UPDATE or DELETE privilege on a table or a subset of its columns but lacking the SELECT privilege on some column may nonetheless be able to acquire values from the denied column. The user's modification privileges must be sufficient to enable violating some existing constraint. For example, a user having no SELECT privilege and having the UPDATE privilege on one NOT NULL column can use constraint violation error messages to harvest all values of every other column. [1]: http://www.postgresql.org/message-id/flat/20140926151728.GN16422@tamriel.snowman.net Acknowledgements: Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Stephen Frost as the original reporter.
Upstream patch: https://github.com/postgres/postgres/commit/804b6b6db4dcfc590a468e7be390738f9f7755fb
External References: http://www.postgresql.org/about/news/1569/
This issue was addressed in Fedora 20 and Fedora 21 via the following security advisories: https://admin.fedoraproject.org/updates/FEDORA-2015-1728/postgresql-9.3.6-1.fc20 https://admin.fedoraproject.org/updates/FEDORA-2015-1745/postgresql-9.3.6-1.fc21
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Via RHSA-2015:0699 https://rhn.redhat.com/errata/RHSA-2015-0699.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2015:0750 https://rhn.redhat.com/errata/RHSA-2015-0750.html
This issue has been addressed in the following products: Red Hat Satellite Server v 5.7 Via RHSA-2015:0856 https://rhn.redhat.com/errata/RHSA-2015-0856.html