The pg_user_mappings view long required privileges on a given foreign server in order to see "options", notably passwords, associated with user mappings of that server. The fix for CVE-2017-7486 removed that requirement. This allows each user to retrieve passwords from user mappings that foreign server owners defined for the user in question, even if that owner granted no actual privileges. The user in question might retrieve the password and use it to connect via another mechanism. Supported vulnerable versions: 9.2 - 9.6 Upstream patch: https://github.com/postgres/postgres/commit/b6e39ca92eeee4 Users affected by CVE-2017-7547 will need to perform additional steps after upgrading to resolve the issue. See https://www.postgresql.org/about/news/1772/ for more information on this.
Acknowledgments: Name: the PostgreSQL project Upstream: Jeff Janes
External References: https://www.postgresql.org/about/news/1772/
Created mingw-postgresql tracking bugs for this issue: Affects: epel-7 [bug 1480282] Affects: fedora-all [bug 1480283] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 1480284]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2677 https://access.redhat.com/errata/RHSA-2017:2677
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2678 https://access.redhat.com/errata/RHSA-2017:2678
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2728 https://access.redhat.com/errata/RHSA-2017:2728
Statement: Red Hat Satellite 5 are is in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.