CVE-2017-7484

NameCVE-2017-7484
DescriptionIt was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-3851-1

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
postgresql-8.4sourcewheezy(not affected)
postgresql-8.4source(unstable)(unfixed)
postgresql-9.1sourcewheezy(not affected)
postgresql-9.1sourcejessie(not affected)
postgresql-9.1source(unstable)(unfixed)
postgresql-9.4sourcejessie9.4.12-0+deb8u1DSA-3851-1
postgresql-9.4source(unstable)(unfixed)
postgresql-9.6source(unstable)9.6.3-1

Notes

[jessie] - postgresql-9.1 <not-affected> (postgresql-9.1 in jessie only provides PL/Perl)
[wheezy] - postgresql-9.1 <not-affected> (Vulnerable code do not exist)
[wheezy] - postgresql-8.4 <not-affected> (Vulnerable code do not exist)
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=c33c42362256382ed398df9dcda559cd547c68a7
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cad15943225adbcadea51602b38b04d71d1183d2
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=935e77d527a018b652f247c7374c558871210db6

Search for package or bug name: Reporting problems