Date: Fri, 29 Mar 2024 10:20:06 +0000 (UTC) Message-ID: <162475847.91.1711707606138@bff70d5381a9> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_90_592423786.1711707606138" ------=_Part_90_592423786.1711707606138 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
PostgreSQL has just detected to a really bad information disclosure bug,= CVE-2017-7547.
Unfortunately upgrading to a fixed version (for Debian see their security-tracker on CVE-2017-7547) is= not enough, existing installations need manual work, as described in = PostgreSQL's own news article 1772 desc= ribes. That howto is not only less then optimal (first half of step 4 shoul= d happen before step 3 for easier scripting) there does not seem to be a sc= ript yet.
Therefore I decided to create the following scripts ...
For manual execution and the interested here is what our full script (se=
e below) puts in /tmp/pg_fix_user_mappings.sql
and "execu=
tes" on all databases after making additional config changes to and restart=
ing postgres:
SET search_path =3D pg_catalog; CREATE OR REPLACE VIEW pg_user_mappings AS SELECT U.oid AS umid, S.oid AS srvid, S.srvname AS srvname, U.umuser AS umuser, CASE WHEN U.umuser =3D 0 THEN 'public' ELSE A.rolname END AS usename, CASE WHEN=20 (U.umuser <> 0 AND A.rolname =3D current_user AND (pg_has_role(= S.srvowner, 'USAGE') OR has_server_privilege(S.oid, 'USAGE'))) OR (U.umuser =3D 0 AND pg_has_role(S.srvowner, 'USAGE')) OR (SELECT rolsuper FROM pg_authid WHERE rolname =3D current_user) THEN U.umoptions ELSE NULL END AS umoptions FROM pg_user_mapping U LEFT JOIN pg_authid A ON (A.oid =3D U.umuser)=20 JOIN pg_foreign_server S ON (U.umserver =3D S.oid);
pg_fix_usermappings.sh
The script pg_fix_usermappings.sh
performs the fo=
llowing operations:
/tmp/pg_fix_user_mappings.sql
(see above)=
postgres.conf
to postgres.conf.bak
postgresql.conf
with allow_system_table_m=
ods=3Dtrue
template0
/tmp/pg_fix_user_mappings.sql
to ALL databases=
li>
template0
postgresql.conf.bak
to postgres.conf
<=
/li>
To try to fix your PostgreSQL installation in a debian or similar enviro= nment:
pg_fix_us=
ermappings.sh
Overall (several variants, read before execution)
# download #sudo apt-get install ca-certificates wget https://download.clazzes.org/pg_fix_usermappings/pg_fix_usermappings.s= h \ -O /tmp/pg_fix_usermappings.sh # make it executable, for user postgres chmod ugo+rx /tmp/pg_fix_usermappings.sh # it's safe to call the script without any parameters ... /tmp/pg_fix_usermappings.sh # think about version ls -ld /etc/postgresql/* dpkg -l |egrep " postgresql-9.[0-9] " # execute for 9.6 as non root logging the output export MYPGVER=3D9.6 ( sudo sudo -u postgres /tmp/pg_fix_usermappings.sh ${MYPGVER} ) \ 2>&1 |tee /var/tmp/pg_fix_usermappings_${MYPGVER}.log # after success maybe document sudo mv -v /tmp/pg_fix_usermappings.sh /var/tmp/pg_fix_usermappings*.log /v= ar/log/postgresql/