CVE-2017-7485

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 9.3.x through 9.3.16 PostgreSQL versions 9.4.x through 9.4.11 PostgreSQL versions 9.5.x through 9.5.6 PostgreSQL versions 9.6.x through 9.6.2

Description The issue is related to the libpq library in the PostgreSQL database management system, where the lack of enforced TLS connection usage is a concern. This could allow a remote attacker to perform a Man-in-the-Middle attack, potentially stripping the SSL/TLS protection from a connection between a client and a server. The PGREQUIRESSL environment variable was found to no longer enforce a SSL/TLS connection to a PostgreSQL server.

Recommendations For PostgreSQL versions 9.3.x through 9.3.16, update to version 9.3.17 or later. For PostgreSQL versions 9.4.x through 9.4.11, update to version 9.4.12 or later. For PostgreSQL versions 9.5.x through 9.5.6, update to version 9.5.7 or later. For PostgreSQL versions 9.6.x through 9.6.2, update to version 9.6.3 or later.