PT-2017-3883 · Postgresql+1 · Postgresql+1
Daniel Gustafsson
·
Published
2017-05-08
·
Updated
2026-01-30
·
CVE-2017-7485
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
PostgreSQL versions 9.3.x through 9.3.16
PostgreSQL versions 9.4.x through 9.4.11
PostgreSQL versions 9.5.x through 9.5.6
PostgreSQL versions 9.6.x through 9.6.2
Description
The issue is related to the libpq library in the PostgreSQL database management system, where the lack of enforced TLS connection usage is a concern. This could allow a remote attacker to perform a Man-in-the-Middle attack, potentially stripping the SSL/TLS protection from a connection between a client and a server. The PGREQUIRESSL environment variable was found to no longer enforce a SSL/TLS connection to a PostgreSQL server.
Recommendations
For PostgreSQL versions 9.3.x through 9.3.16, update to version 9.3.17 or later.
For PostgreSQL versions 9.4.x through 9.4.11, update to version 9.4.12 or later.
For PostgreSQL versions 9.5.x through 9.5.6, update to version 9.5.7 or later.
For PostgreSQL versions 9.6.x through 9.6.2, update to version 9.6.3 or later.
Fix
Missing Encryption of Sensitive Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Postgresql
Suse