ID CVE-2017-7546
Summary PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
References
Vulnerable Configurations
  • PostgreSQL 9.2
    cpe:2.3:a:postgresql:postgresql:9.2
  • PostgreSQL 9.2.1
    cpe:2.3:a:postgresql:postgresql:9.2.1
  • PostgreSQL 9.2.2
    cpe:2.3:a:postgresql:postgresql:9.2.2
  • PostgreSQL PostgreSQL 9.2.3
    cpe:2.3:a:postgresql:postgresql:9.2.3
  • PostgreSQL PostgreSQL 9.2.4
    cpe:2.3:a:postgresql:postgresql:9.2.4
  • PostgreSQL PostgreSQL 9.2.5
    cpe:2.3:a:postgresql:postgresql:9.2.5
  • PostgreSQL PostgreSQL 9.2.6
    cpe:2.3:a:postgresql:postgresql:9.2.6
  • PostgreSQL PostgreSQL 9.2.7
    cpe:2.3:a:postgresql:postgresql:9.2.7
  • cpe:2.3:a:postgresql:postgresql:9.2.8
    cpe:2.3:a:postgresql:postgresql:9.2.8
  • cpe:2.3:a:postgresql:postgresql:9.2.9
    cpe:2.3:a:postgresql:postgresql:9.2.9
  • cpe:2.3:a:postgresql:postgresql:9.2.10
    cpe:2.3:a:postgresql:postgresql:9.2.10
  • cpe:2.3:a:postgresql:postgresql:9.2.11
    cpe:2.3:a:postgresql:postgresql:9.2.11
  • cpe:2.3:a:postgresql:postgresql:9.2.12
    cpe:2.3:a:postgresql:postgresql:9.2.12
  • cpe:2.3:a:postgresql:postgresql:9.2.13
    cpe:2.3:a:postgresql:postgresql:9.2.13
  • PostgreSQL PostgreSQL 9.2.14
    cpe:2.3:a:postgresql:postgresql:9.2.14
  • PostgreSQL 9.2.15
    cpe:2.3:a:postgresql:postgresql:9.2.15
  • PostgreSQL 9.2.16
    cpe:2.3:a:postgresql:postgresql:9.2.16
  • PostgreSQL 9.2.17
    cpe:2.3:a:postgresql:postgresql:9.2.17
  • PostgreSQL 9.2.18
    cpe:2.3:a:postgresql:postgresql:9.2.18
  • PostgreSQL 9.2.19
    cpe:2.3:a:postgresql:postgresql:9.2.19
  • PostgreSQL 9.2.20
    cpe:2.3:a:postgresql:postgresql:9.2.20
  • PostgreSQL 9.2.21
    cpe:2.3:a:postgresql:postgresql:9.2.21
  • PostgreSQL PostgreSQL 9.3
    cpe:2.3:a:postgresql:postgresql:9.3
  • PostgreSQL PostgreSQL 9.3.1
    cpe:2.3:a:postgresql:postgresql:9.3.1
  • PostgreSQL PostgreSQL 9.3.2
    cpe:2.3:a:postgresql:postgresql:9.3.2
  • PostgreSQL PostgreSQL 9.3.3
    cpe:2.3:a:postgresql:postgresql:9.3.3
  • PostgreSQL 9.3.4
    cpe:2.3:a:postgresql:postgresql:9.3.4
  • PostgreSQL 9.3.5
    cpe:2.3:a:postgresql:postgresql:9.3.5
  • PostgreSQL 9.3.6
    cpe:2.3:a:postgresql:postgresql:9.3.6
  • PostgreSQL 9.3.7
    cpe:2.3:a:postgresql:postgresql:9.3.7
  • PostgreSQL 9.3.8
    cpe:2.3:a:postgresql:postgresql:9.3.8
  • PostgreSQL 9.3.9
    cpe:2.3:a:postgresql:postgresql:9.3.9
  • PostgreSQL 9.3.10
    cpe:2.3:a:postgresql:postgresql:9.3.10
  • PostgreSQL 9.3.11
    cpe:2.3:a:postgresql:postgresql:9.3.11
  • PostgreSQL 9.3.12
    cpe:2.3:a:postgresql:postgresql:9.3.12
  • PostgreSQL 9.3.13
    cpe:2.3:a:postgresql:postgresql:9.3.13
  • PostgreSQL 9.3.14
    cpe:2.3:a:postgresql:postgresql:9.3.14
  • PostgreSQL 9.3.15
    cpe:2.3:a:postgresql:postgresql:9.3.15
  • PostgreSQL 9.3.16
    cpe:2.3:a:postgresql:postgresql:9.3.16
  • PostgreSQL 9.3.17
    cpe:2.3:a:postgresql:postgresql:9.3.17
  • PostgreSQL PostgreSQL 9.4
    cpe:2.3:a:postgresql:postgresql:9.4
  • PostgreSQL 9.4.1
    cpe:2.3:a:postgresql:postgresql:9.4.1
  • PostgreSQL 9.4.2
    cpe:2.3:a:postgresql:postgresql:9.4.2
  • PostgreSQL 9.4.3
    cpe:2.3:a:postgresql:postgresql:9.4.3
  • PostgreSQL 9.4.4
    cpe:2.3:a:postgresql:postgresql:9.4.4
  • PostgreSQL PostgreSQL 9.4.5
    cpe:2.3:a:postgresql:postgresql:9.4.5
  • PostgreSQL 9.4.6
    cpe:2.3:a:postgresql:postgresql:9.4.6
  • PostgreSQL 9.4.7
    cpe:2.3:a:postgresql:postgresql:9.4.7
  • PostgreSQL 9.4.8
    cpe:2.3:a:postgresql:postgresql:9.4.8
  • PostgreSQL 9.4.9
    cpe:2.3:a:postgresql:postgresql:9.4.9
  • PostgreSQL 9.4.10
    cpe:2.3:a:postgresql:postgresql:9.4.10
  • PostgreSQL 9.4.11
    cpe:2.3:a:postgresql:postgresql:9.4.11
  • PostgreSQL 9.4.12
    cpe:2.3:a:postgresql:postgresql:9.4.12
  • PostgreSQL PostgreSQL 9.5
    cpe:2.3:a:postgresql:postgresql:9.5
  • PostgreSQL 9.5.1
    cpe:2.3:a:postgresql:postgresql:9.5.1
  • PostgreSQL 9.5.2
    cpe:2.3:a:postgresql:postgresql:9.5.2
  • PostgreSQL 9.5.3
    cpe:2.3:a:postgresql:postgresql:9.5.3
  • PostgreSQL 9.5.4
    cpe:2.3:a:postgresql:postgresql:9.5.4
  • PostgreSQL 9.5.5
    cpe:2.3:a:postgresql:postgresql:9.5.5
  • PostgreSQL 9.5.6
    cpe:2.3:a:postgresql:postgresql:9.5.6
  • PostgreSQL 9.5.7
    cpe:2.3:a:postgresql:postgresql:9.5.7
  • PostgreSQL 9.6
    cpe:2.3:a:postgresql:postgresql:9.6
  • PostgreSQL 9.6.1
    cpe:2.3:a:postgresql:postgresql:9.6.1
  • PostgreSQL 9.6.2
    cpe:2.3:a:postgresql:postgresql:9.6.2
  • PostgreSQL 9.6.3
    cpe:2.3:a:postgresql:postgresql:9.6.3
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
CVSS
Base: 7.5
Impact:
Exploitability:
CWE CWE-287
CAPEC
  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201710-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201710-06 (PostgreSQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PostgreSQL. Please review the referenced CVE identifiers for details. Impact : A remote attacker could escalate privileges, cause a Denial of Service condition, obtain passwords, cause a loss in information, or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 103724
    published 2017-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103724
    title GLSA-201710-06 : PostgreSQL: Multiple vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2860.NASL
    description An update for postgresql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). Security Fix(es) : * It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as the original reporters.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 103706
    published 2017-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103706
    title CentOS 6 : postgresql (CESA-2017:2860)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2728.NASL
    description From Red Hat Security Advisory 2017:2728 : An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.2.23). (BZ#1484639, BZ#1484647) Security Fix(es) : * It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) * An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as the original reporters of CVE-2017-7546; and Jeff Janes as the original reporter of CVE-2017-7547.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 103238
    published 2017-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103238
    title Oracle Linux 7 : postgresql (ELSA-2017-2728)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2728.NASL
    description An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.2.23). (BZ#1484639, BZ#1484647) Security Fix(es) : * It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) * An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as the original reporters of CVE-2017-7546; and Jeff Janes as the original reporter of CVE-2017-7547.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 103230
    published 2017-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103230
    title CentOS 7 : postgresql (CESA-2017:2728)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-2860.NASL
    description An update for postgresql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). Security Fix(es) : * It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as the original reporters. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 119231
    published 2018-11-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119231
    title Virtuozzo 6 : postgresql / postgresql-contrib / postgresql-devel / etc (VZLSA-2017-2860)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1232.NASL
    description According to the versions of the postgresql packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) - An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 103734
    published 2017-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103734
    title EulerOS 2.0 SP2 : postgresql (EulerOS-SA-2017-1232)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-F9E66916EC.NASL
    description https://www.postgresql.org/docs/9.6/static/release-9-6-4.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102614
    published 2017-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102614
    title Fedora 26 : mingw-postgresql (2017-f9e66916ec)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-884.NASL
    description pg_user_mappings view discloses passwords to users lacking server privileges : An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Empty password accepted in some authentication methods : It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 102872
    published 2017-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102872
    title Amazon Linux AMI : postgresql93 / postgresql92 (ALAS-2017-884)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170914_POSTGRESQL_ON_SL7_X.NASL
    description The following packages have been upgraded to a later upstream version: postgresql (9.2.23). Security Fix(es) : - It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) - An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 103244
    published 2017-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103244
    title Scientific Linux Security Update : postgresql on SL7.x x86_64
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-908.NASL
    description The pg_user_mappings view discloses passwords to users lacking server privileges : An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Empty password accepted in some authentication methods : It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 103755
    published 2017-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103755
    title Amazon Linux AMI : postgresql96 (ALAS-2017-908)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2860.NASL
    description From Red Hat Security Advisory 2017:2860 : An update for postgresql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). Security Fix(es) : * It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as the original reporters.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 103684
    published 2017-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103684
    title Oracle Linux 6 : postgresql (ELSA-2017-2860)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171005_POSTGRESQL_ON_SL6_X.NASL
    description Security Fix(es) : - It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 103688
    published 2017-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103688
    title Scientific Linux Security Update : postgresql on SL6.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3390-1.NASL
    description Ben de Graaff, Jelte Fennema, and Jeroen van der Ham discovered that PostgreSQL allowed the use of empty passwords in some authentication methods, contrary to expected behaviour. A remote attacker could use an empty password to authenticate to servers that were believed to have password login disabled. (CVE-2017-7546) Jeff Janes discovered that PostgreSQL incorrectly handled the pg_user_mappings catalog view. A remote attacker without server privileges could possibly use this issue to obtain certain passwords. (CVE-2017-7547) Chapman Flack discovered that PostgreSQL incorrectly handled lo_put() permissions. A remote attacker could possibly use this issue to change the data in a large object. (CVE-2017-7548). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 102522
    published 2017-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102522
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerabilities (USN-3390-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2728.NASL
    description An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.2.23). (BZ#1484639, BZ#1484647) Security Fix(es) : * It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) * An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as the original reporters of CVE-2017-7546; and Jeff Janes as the original reporter of CVE-2017-7547.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 103209
    published 2017-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103209
    title RHEL 7 : postgresql (RHSA-2017:2728)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1231.NASL
    description According to the versions of the postgresql packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) - An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 103733
    published 2017-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103733
    title EulerOS 2.0 SP1 : postgresql (EulerOS-SA-2017-1231)
  • NASL family Databases
    NASL id POSTGRESQL_20170810.NASL
    description The version of PostgreSQL installed on the remote host is 9.2.x prior to 9.2.22, 9.3.x prior to 9.3.18, 9.4.x prior to 9.4.13, 9.5.x prior to 9.5.8, or 9.6.x prior to 9.6.4. It is, therefore, affected by multiple vulnerabilities : - An authentication bypass flaw exists in that an empty password is accepted in some authentication methods. (CVE-2017-7546) - An information disclosure vulnerability exists in the 'pg_user_mappings' catalog view that can disclose passwords to users lacking server privileges. (CVE-2017-7547) Note: The 'pg_user_mappings' update will only fix the behavior in newly created clusters utilizing initdb. To fix this issue on existing systems you will need to follow the steps in the release notes. - A flaw exists in the lo_put() function due to improper checking of permissions that leads to ignoring of ACLs. (CVE-2017-7548)
    last seen 2019-02-21
    modified 2018-12-14
    plugin id 102527
    published 2017-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102527
    title PostgreSQL 9.2.x < 9.2.22 / 9.3.x < 9.3.18 / 9.4.x < 9.4.13 / 9.5.x < 9.5.8 / 9.6.x < 9.6.4 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-D9CAC37BD8.NASL
    description rebase: update to 9.6.4, security fix for CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 Per release notes: https://www.postgresql.org/docs/9.6/static/release-9-6-4.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102490
    published 2017-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102490
    title Fedora 26 : postgresql (2017-d9cac37bd8)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1021.NASL
    description This update for postgresql96 fixes the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) The changelog for this release is here: https://www.postgresql.org/docs/9.6/static/release-9-6-4.html This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 103157
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103157
    title openSUSE Security Update : postgresql96 (openSUSE-2017-1021)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-985.NASL
    description Postgresql93 was updated to 9.3.18 to fix the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) The changelog for the release is here : https://www.postgresql.org/docs/9.3/static/release-9-3-18.html This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102847
    published 2017-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102847
    title openSUSE Security Update : postgresql93 (openSUSE-2017-985)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3936.NASL
    description Several vulnerabilities have been found in the PostgreSQL database system : - CVE-2017-7546 In some authentication methods empty passwords were accepted. - CVE-2017-7547 User mappings could leak data to unprivileged users. - CVE-2017-7548 The lo_put() function ignored ACLs. For more in-depth descriptions of the security vulnerabilities, please see https://www.postgresql.org/about/news/1772/
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102443
    published 2017-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102443
    title Debian DSA-3936-1 : postgresql-9.6 - security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2860.NASL
    description An update for postgresql is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). Security Fix(es) : * It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as the original reporters.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 103686
    published 2017-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103686
    title RHEL 6 : postgresql (RHSA-2017:2860)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1051.NASL
    description Several vulnerabilities have been found in the PostgreSQL database system : CVE-2017-7486 Andrew Wheelwright discovered that user mappings were insufficiently restricted. CVE-2017-7546 In some authentication methods empty passwords were accepted. CVE-2017-7547 User mappings could leak data to unprivileged users. For Debian 7 'Wheezy', these problems have been fixed in version 9.1.24lts2-0+deb7u1. We recommend that you upgrade your postgresql-9.1 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 102368
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102368
    title Debian DLA-1051-1 : postgresql-9.1 security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1020.NASL
    description This update for postgresql94 fixes the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 103156
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103156
    title openSUSE Security Update : postgresql94 (openSUSE-2017-1020)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-9148FE36B9.NASL
    description rebase: update to 9.5.8, security fix for CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 Per release notes: http://www.postgresql.org/docs/9.5/static/release-9-5-8.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102828
    published 2017-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102828
    title Fedora 25 : postgresql (2017-9148fe36b9)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2236-1.NASL
    description Postgresql93 was updated to 9.3.18 to fix the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) The changelog for the release is here: https://www.postgresql.org/docs/9.3/static/release-9 -3-18.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102695
    published 2017-08-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102695
    title SUSE SLES12 Security Update : postgresql93 (SUSE-SU-2017:2236-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3935.NASL
    description Several vulnerabilities have been found in the PostgreSQL database system : - CVE-2017-7546 In some authentication methods empty passwords were accepted. - CVE-2017-7547 User mappings could leak data to unprivileged users. - CVE-2017-7548 The lo_put() function ignored ACLs. For more in-depth descriptions of the security vulnerabilities, please see https://www.postgresql.org/about/news/1772/
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102442
    published 2017-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102442
    title Debian DSA-3935-1 : postgresql-9.4 - security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_982872F17DD311E797366CC21735F730.NASL
    description The PostgreSQL project reports : - CVE-2017-7546: Empty password accepted in some authentication methods - CVE-2017-7547: The 'pg_user_mappings' catalog view discloses passwords to users lacking server privileges - CVE-2017-7548: lo_put() function ignores ACLs
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102408
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102408
    title FreeBSD : PostgreSQL vulnerabilities (982872f1-7dd3-11e7-9736-6cc21735f730)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2356-1.NASL
    description This update for postgresql96 fixes the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) The changelog for this release is here: https://www.postgresql.org/docs/9.6/static/release-9-6-4 .html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102974
    published 2017-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102974
    title SUSE SLED12 / SLES12 Security Update : postgresql96 (SUSE-SU-2017:2356-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-885.NASL
    description pg_user_mappings view discloses passwords to users lacking server privileges : An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Empty password accepted in some authentication methods : It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) lo_put() function ignores ACLs : An authorization flaw was found in the way PostgreSQL handled large objects. A remote authenticated attacker with no privileges on a large object could potentially use this flaw to overwrite the entire content of the object, thus resulting in denial of service. (CVE-2017-7548)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 102873
    published 2017-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102873
    title Amazon Linux AMI : postgresql94 / postgresql95 (ALAS-2017-885)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2355-1.NASL
    description This update for postgresql94 fixes the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 102973
    published 2017-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102973
    title SUSE SLED12 / SLES12 Security Update : postgresql94 (SUSE-SU-2017:2355-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2258-1.NASL
    description Postgresql94 was updated to 9.4.13 to fix the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) The changelog for this release is here: https://www.postgresql.org/docs/9.4/static/release-9-4-1 3.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102800
    published 2017-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102800
    title SUSE SLES11 Security Update : postgresql94 (SUSE-SU-2017:2258-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-204.NASL
    description This update for postgresql95 fixes the following issues : Upate to PostgreSQL 9.5.11 : Security issues fixed : - https://www.postgresql.org/docs/9.5/static/release-9-5-11.html - CVE-2018-1053, boo#1077983: Ensure that all temporary files made by pg_upgrade are non-world-readable. - boo#1079757: Rename pg_rewind's copy_file_range function to avoid conflict with new Linux system call of that name. In version 9.5.10 : - https://www.postgresql.org/docs/9.5/static/release-9-5-10.html - CVE-2017-15098, boo#1067844: Memory disclosure in JSON functions. - CVE-2017-15099, boo#1067841: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges. In version 9.5.9 : - https://www.postgresql.org/docs/9.5/static/release-9-5-9.html - Show foreign tables in information_schema.table_privileges view. - Clean up handling of a fatal exit (e.g., due to receipt of SIGTERM) that occurs while trying to execute a ROLLBACK of a failed transaction. - Remove assertion that could trigger during a fatal exit. - Correctly identify columns that are of a range type or domain type over a composite type or domain type being searched for. - Fix crash in pg_restore when using parallel mode and using a list file to select a subset of items to restore. - Change ecpg's parser to allow RETURNING clauses without attached C variables. In version 9.5.8 - https://www.postgresql.org/docs/9.5/static/release-9-5-8.html - CVE-2017-7547, boo#1051685: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. - CVE-2017-7546, boo#1051684: Disallow empty passwords in all password-based authentication methods. - CVE-2017-7548, boo#1053259: lo_put() function ignores ACLs.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 106965
    published 2018-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106965
    title openSUSE Security Update : postgresql95 (openSUSE-2018-204)
redhat via4
advisories
  • bugzilla
    id 1477184
    title CVE-2017-7546 postgresql: Empty password accepted in some authentication methods
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment postgresql is earlier than 0:8.4.20-8.el6_9
          oval oval:com.redhat.rhsa:tst:20172860005
        • comment postgresql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908006
      • AND
        • comment postgresql-contrib is earlier than 0:8.4.20-8.el6_9
          oval oval:com.redhat.rhsa:tst:20172860009
        • comment postgresql-contrib is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908014
      • AND
        • comment postgresql-devel is earlier than 0:8.4.20-8.el6_9
          oval oval:com.redhat.rhsa:tst:20172860021
        • comment postgresql-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908010
      • AND
        • comment postgresql-docs is earlier than 0:8.4.20-8.el6_9
          oval oval:com.redhat.rhsa:tst:20172860015
        • comment postgresql-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908016
      • AND
        • comment postgresql-libs is earlier than 0:8.4.20-8.el6_9
          oval oval:com.redhat.rhsa:tst:20172860023
        • comment postgresql-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908024
      • AND
        • comment postgresql-plperl is earlier than 0:8.4.20-8.el6_9
          oval oval:com.redhat.rhsa:tst:20172860011
        • comment postgresql-plperl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908022
      • AND
        • comment postgresql-plpython is earlier than 0:8.4.20-8.el6_9
          oval oval:com.redhat.rhsa:tst:20172860007
        • comment postgresql-plpython is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908018
      • AND
        • comment postgresql-pltcl is earlier than 0:8.4.20-8.el6_9
          oval oval:com.redhat.rhsa:tst:20172860019
        • comment postgresql-pltcl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908020
      • AND
        • comment postgresql-server is earlier than 0:8.4.20-8.el6_9
          oval oval:com.redhat.rhsa:tst:20172860013
        • comment postgresql-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908012
      • AND
        • comment postgresql-test is earlier than 0:8.4.20-8.el6_9
          oval oval:com.redhat.rhsa:tst:20172860017
        • comment postgresql-test is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908008
    rhsa
    id RHSA-2017:2860
    released 2017-10-05
    severity Moderate
    title RHSA-2017:2860: postgresql security update (Moderate)
  • rhsa
    id RHSA-2017:2677
  • rhsa
    id RHSA-2017:2678
  • rhsa
    id RHSA-2017:2728
rpms
  • postgresql-0:9.2.23-1.el7_4
  • postgresql-contrib-0:9.2.23-1.el7_4
  • postgresql-devel-0:9.2.23-1.el7_4
  • postgresql-docs-0:9.2.23-1.el7_4
  • postgresql-libs-0:9.2.23-1.el7_4
  • postgresql-plperl-0:9.2.23-1.el7_4
  • postgresql-plpython-0:9.2.23-1.el7_4
  • postgresql-pltcl-0:9.2.23-1.el7_4
  • postgresql-server-0:9.2.23-1.el7_4
  • postgresql-static-0:9.2.23-1.el7_4
  • postgresql-test-0:9.2.23-1.el7_4
  • postgresql-upgrade-0:9.2.23-1.el7_4
  • postgresql-0:8.4.20-8.el6_9
  • postgresql-contrib-0:8.4.20-8.el6_9
  • postgresql-devel-0:8.4.20-8.el6_9
  • postgresql-docs-0:8.4.20-8.el6_9
  • postgresql-libs-0:8.4.20-8.el6_9
  • postgresql-plperl-0:8.4.20-8.el6_9
  • postgresql-plpython-0:8.4.20-8.el6_9
  • postgresql-pltcl-0:8.4.20-8.el6_9
  • postgresql-server-0:8.4.20-8.el6_9
  • postgresql-test-0:8.4.20-8.el6_9
refmap via4
bid 100278
confirm https://www.postgresql.org/about/news/1772/
debian
  • DSA-3935
  • DSA-3936
gentoo GLSA-201710-06
sectrack 1039142
Last major update 16-08-2017 - 14:29
Published 16-08-2017 - 14:29
Last modified 17-07-2018 - 14:07
Back to Top