| Name | CVE-2017-7484 |
| Description | It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-3851-1 |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| postgresql-8.4 | source | wheezy | (not affected) | |||
| postgresql-8.4 | source | (unstable) | (unfixed) | |||
| postgresql-9.1 | source | wheezy | (not affected) | |||
| postgresql-9.1 | source | jessie | (not affected) | |||
| postgresql-9.1 | source | (unstable) | (unfixed) | |||
| postgresql-9.4 | source | jessie | 9.4.12-0+deb8u1 | DSA-3851-1 | ||
| postgresql-9.4 | source | (unstable) | (unfixed) | |||
| postgresql-9.6 | source | (unstable) | 9.6.3-1 |
[jessie] - postgresql-9.1 <not-affected> (postgresql-9.1 in jessie only provides PL/Perl)
[wheezy] - postgresql-9.1 <not-affected> (Vulnerable code do not exist)
[wheezy] - postgresql-8.4 <not-affected> (Vulnerable code do not exist)
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=c33c42362256382ed398df9dcda559cd547c68a7
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cad15943225adbcadea51602b38b04d71d1183d2
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=935e77d527a018b652f247c7374c558871210db6