SB2017111004 - Debian update for postgresql-9.6 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017111004

SB2017111004 - Debian update for postgresql-9.6

Published: November 10, 2017

Security Bulletin ID SB2017111004
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Data handling (CVE-ID: CVE-2017-15098)

The vulnerability allows a remote authenticated attacker to cause DoS condition or obtain potentially sensitive information on a targeted system.

The weakness exists due to improper data handling. A remote attacker can send specially crafted data to trigger a rowtype mismatch in json{b}_populate_recordset(), cause the application to crash or read arbitrary data.

2) Security restrictions bypass (CVE-ID: CVE-2017-15099)

The vulnerability allows a remote attacker to bypass security restrictions on a targeted system.

The weakness exists due to improper security restrictions in the case of an arbiter specified by constraint name. A remote attacker can submit specially crafted INSERT requests and bypass security controls on the update path of 'INSERT ... ON CONFLICT DO UPDATE' function to conduct further attacks.

Remediation

Install update from vendor's website.

References