Sign in / up

back to article Leaky PostgreSQL passwords plugged

PostgreSQL has released three security patches for versions 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22. In CVE-2017-7547, a remote attacker can retrieve others' passwords because of a user mapping bug. The authorisation oopsie derives from the database's handling of pg_user_mappings, allowing an authenticated remote attacker …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *

  1. This post has been deleted by its author

  2. Adam 52 Silver badge

    "a remote attacker can retrieve others' passwords"

    Really? Postgres is storing unhashed passwords?

    2 4 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      This is not the database password for the local passwords. These are passwords for access to a remote server. And in order to use those, they have to be stored in a reversible way. Obviously, regular users should not have access to the cleartext version of this (and that is the bug), but the database server itself needs that access in order to make the connection.

      7 0 Reply
      1. Adam 52 Silver badge
        Reply Icon

        Thank you.

        2 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like