CVE-2017-7485

Published: 12 May 2017

In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.

Priority

Low

CVSS 3 base score: 5.9

Status

Package Release Status
postgresql-9.1
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected)
postgresql-9.3
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (9.3.17-0ubuntu0.14.04)
postgresql-9.5
Launchpad, Ubuntu, Debian
Upstream
Released (9.5.7)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (9.5.7-0ubuntu0.16.04)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

postgresql-9.6
Launchpad, Ubuntu, Debian
Upstream
Released (9.6.3)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=aafbd1df969135c185947c596c46608fc9f4a67c