PostgreSQL has just detected to a really bad information disclosure bug, CVE-2017-7547.
Unfortunately upgrading to a fixed version (for Debian see their security-tracker on CVE-2017-7547) is not enough, existing installations need manual work, as described in PostgreSQL's own news article 1772 describes. That howto is not only less then optimal (first half of step 4 should happen before step 3 for easier scripting) there does not seem to be a script yet.
Therefore I decided to create the following scripts ...
Scripted Solution (for 'main' cluster)
For manual execution and the interested here is what our full script (see below) puts in
/tmp/pg_fix_user_mappings.sql and "executes" on all databases after making additional config changes to and restarting postgres:
What happens in
pg_fix_usermappings.sh performs the following operations:
- Some santiy checks. It's safe to call the script without any parameters
- Restart postgres
- Sleep 60 seconds, because postgres start asynchronously
- Enable changes to
/tmp/pg_fix_user_mappings.sqlto ALL databases
- Disable changes to
- Restart postgres again
pg_fix_usermappings.sh download & execution
To try to fix your PostgreSQL installation in a debian or similar environment:
- Review it!
- Download and execute it as user postgres
Overall (several variants, read before execution)