LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: December 19th, 2014
Linux Advisory Watch: December 12th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
RedHat: Important: postgresql security update Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
RedHat Linux Updated PostgreSQL packages to fix various security flaws are now available for Red Hat Enterprise Linux 2.1AS. This update has been rated as having important security impact by the Red Hat Security Response Team.
- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Important: postgresql security update
Advisory ID:       RHSA-2005:150-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2005-150.html
Issue date:        2005-02-16
Updated on:        2005-02-16
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2005-0227 CAN-2005-0245 CAN-2005-0247
- ---------------------------------------------------------------------

1. Summary:

Updated PostgreSQL packages to fix various security flaws are now available
for Red Hat Enterprise Linux 2.1AS.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386

3. Problem description:

PostgreSQL is an advanced Object-Relational database management system
(DBMS).

A flaw in the LOAD command in PostgreSQL was discovered.  A local user
could use this flaw to load arbitrary shared libraries and therefore
execute arbitrary code, gaining the privileges of the PostgreSQL server. 
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0227 to this issue.

Multiple buffer overflows were found in PL/PgSQL.  A database user who has
permissions to create plpgsql functions could trigger this flaw which could
lead to arbitrary code execution, gaining the privileges of the PostgreSQL
server. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CAN-2005-0245 and CAN-2005-0247 to these issues.

Users of PostgreSQL are advised to update to these erratum packages which
are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

147703 - CAN-2005-0227 Multiple security and data-loss issues in PostgreSQL (CAN-2004-0977 CAN-2005-0245 CAN-2005-0247)
130818 - PostgreSQL can lose committed transactions

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/postgresql-7.1.3-6.rhel2.1AS.src.rpm
d6372acaa5a690ea28fa6db8514467f4  postgresql-7.1.3-6.rhel2.1AS.src.rpm

i386:
d5dd4645e60377652a3b20b8ea2075c8  postgresql-7.1.3-6.rhel2.1AS.i386.rpm
900fff68faddf8a4a74d9f28c1798228  postgresql-contrib-7.1.3-6.rhel2.1AS.i386.rpm
fa7a457aca0a82c84695343029f01daa  postgresql-devel-7.1.3-6.rhel2.1AS.i386.rpm
6413c9dff17164013e41dfc7e9abc4fb  postgresql-docs-7.1.3-6.rhel2.1AS.i386.rpm
14052b797b37408cc83842869128602b  postgresql-jdbc-7.1.3-6.rhel2.1AS.i386.rpm
5f63b3466fad8ba0c95ca8f895c01d52  postgresql-libs-7.1.3-6.rhel2.1AS.i386.rpm
44b516e32296194ee2f4087a5f1b673e  postgresql-odbc-7.1.3-6.rhel2.1AS.i386.rpm
6b4f6323a147590a7347cbf0f92042e5  postgresql-perl-7.1.3-6.rhel2.1AS.i386.rpm
cdbe160b61882748a38f7cc9d251ab61  postgresql-python-7.1.3-6.rhel2.1AS.i386.rpm
b1b051ed6aaf151c461ccf39a460f8bc  postgresql-server-7.1.3-6.rhel2.1AS.i386.rpm
24a53c8b9b10697f2cfa6c690cc8b37b  postgresql-tcl-7.1.3-6.rhel2.1AS.i386.rpm
340239bd5986f62ec040ba42b12c108d  postgresql-test-7.1.3-6.rhel2.1AS.i386.rpm
a79a012ff3eadfd2630dc863b29479dc  postgresql-tk-7.1.3-6.rhel2.1AS.i386.rpm

ia64:
ab956518e3d0a552e193316444fdebe8  postgresql-7.1.3-6.rhel2.1AS.ia64.rpm
7af5314c1bfaadcf4f8837caa41b5b9b  postgresql-contrib-7.1.3-6.rhel2.1AS.ia64.rpm
9b8d0b95c2c386dd16ca225185c70446  postgresql-devel-7.1.3-6.rhel2.1AS.ia64.rpm
8f178d5340ef48550351970e0954bcb6  postgresql-docs-7.1.3-6.rhel2.1AS.ia64.rpm
53a27c906e4930481e3d8bccac9b1aed  postgresql-jdbc-7.1.3-6.rhel2.1AS.ia64.rpm
9426664bacc88b2836f917c00ae8022d  postgresql-libs-7.1.3-6.rhel2.1AS.ia64.rpm
f764dc209d0447701ca238571d192d43  postgresql-odbc-7.1.3-6.rhel2.1AS.ia64.rpm
59054a3ca270a50180dabf602f3fc64a  postgresql-perl-7.1.3-6.rhel2.1AS.ia64.rpm
d0f46f72f7e01f1db5f4226813bde4d9  postgresql-python-7.1.3-6.rhel2.1AS.ia64.rpm
cfba743e7d03547bb4042a7e35821f89  postgresql-server-7.1.3-6.rhel2.1AS.ia64.rpm
39886dba0d0b65c0df5ac717eb947c38  postgresql-tcl-7.1.3-6.rhel2.1AS.ia64.rpm
7a37f6ece0ca1f03fd54c83b70379c85  postgresql-test-7.1.3-6.rhel2.1AS.ia64.rpm
db8137c889d035f1cf4ab47e6687cfaf  postgresql-tk-7.1.3-6.rhel2.1AS.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/postgresql-7.1.3-6.rhel2.1AS.src.rpm
d6372acaa5a690ea28fa6db8514467f4  postgresql-7.1.3-6.rhel2.1AS.src.rpm

ia64:
ab956518e3d0a552e193316444fdebe8  postgresql-7.1.3-6.rhel2.1AS.ia64.rpm
7af5314c1bfaadcf4f8837caa41b5b9b  postgresql-contrib-7.1.3-6.rhel2.1AS.ia64.rpm
9b8d0b95c2c386dd16ca225185c70446  postgresql-devel-7.1.3-6.rhel2.1AS.ia64.rpm
8f178d5340ef48550351970e0954bcb6  postgresql-docs-7.1.3-6.rhel2.1AS.ia64.rpm
53a27c906e4930481e3d8bccac9b1aed  postgresql-jdbc-7.1.3-6.rhel2.1AS.ia64.rpm
9426664bacc88b2836f917c00ae8022d  postgresql-libs-7.1.3-6.rhel2.1AS.ia64.rpm
f764dc209d0447701ca238571d192d43  postgresql-odbc-7.1.3-6.rhel2.1AS.ia64.rpm
59054a3ca270a50180dabf602f3fc64a  postgresql-perl-7.1.3-6.rhel2.1AS.ia64.rpm
d0f46f72f7e01f1db5f4226813bde4d9  postgresql-python-7.1.3-6.rhel2.1AS.ia64.rpm
cfba743e7d03547bb4042a7e35821f89  postgresql-server-7.1.3-6.rhel2.1AS.ia64.rpm
39886dba0d0b65c0df5ac717eb947c38  postgresql-tcl-7.1.3-6.rhel2.1AS.ia64.rpm
7a37f6ece0ca1f03fd54c83b70379c85  postgresql-test-7.1.3-6.rhel2.1AS.ia64.rpm
db8137c889d035f1cf4ab47e6687cfaf  postgresql-tk-7.1.3-6.rhel2.1AS.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/postgresql-7.1.3-6.rhel2.1AS.src.rpm
d6372acaa5a690ea28fa6db8514467f4  postgresql-7.1.3-6.rhel2.1AS.src.rpm

i386:
d5dd4645e60377652a3b20b8ea2075c8  postgresql-7.1.3-6.rhel2.1AS.i386.rpm
900fff68faddf8a4a74d9f28c1798228  postgresql-contrib-7.1.3-6.rhel2.1AS.i386.rpm
fa7a457aca0a82c84695343029f01daa  postgresql-devel-7.1.3-6.rhel2.1AS.i386.rpm
6413c9dff17164013e41dfc7e9abc4fb  postgresql-docs-7.1.3-6.rhel2.1AS.i386.rpm
14052b797b37408cc83842869128602b  postgresql-jdbc-7.1.3-6.rhel2.1AS.i386.rpm
5f63b3466fad8ba0c95ca8f895c01d52  postgresql-libs-7.1.3-6.rhel2.1AS.i386.rpm
44b516e32296194ee2f4087a5f1b673e  postgresql-odbc-7.1.3-6.rhel2.1AS.i386.rpm
6b4f6323a147590a7347cbf0f92042e5  postgresql-perl-7.1.3-6.rhel2.1AS.i386.rpm
cdbe160b61882748a38f7cc9d251ab61  postgresql-python-7.1.3-6.rhel2.1AS.i386.rpm
b1b051ed6aaf151c461ccf39a460f8bc  postgresql-server-7.1.3-6.rhel2.1AS.i386.rpm
24a53c8b9b10697f2cfa6c690cc8b37b  postgresql-tcl-7.1.3-6.rhel2.1AS.i386.rpm
340239bd5986f62ec040ba42b12c108d  postgresql-test-7.1.3-6.rhel2.1AS.i386.rpm
a79a012ff3eadfd2630dc863b29479dc  postgresql-tk-7.1.3-6.rhel2.1AS.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/postgresql-7.1.3-6.rhel2.1AS.src.rpm
d6372acaa5a690ea28fa6db8514467f4  postgresql-7.1.3-6.rhel2.1AS.src.rpm

i386:
d5dd4645e60377652a3b20b8ea2075c8  postgresql-7.1.3-6.rhel2.1AS.i386.rpm
900fff68faddf8a4a74d9f28c1798228  postgresql-contrib-7.1.3-6.rhel2.1AS.i386.rpm
fa7a457aca0a82c84695343029f01daa  postgresql-devel-7.1.3-6.rhel2.1AS.i386.rpm
6413c9dff17164013e41dfc7e9abc4fb  postgresql-docs-7.1.3-6.rhel2.1AS.i386.rpm
14052b797b37408cc83842869128602b  postgresql-jdbc-7.1.3-6.rhel2.1AS.i386.rpm
5f63b3466fad8ba0c95ca8f895c01d52  postgresql-libs-7.1.3-6.rhel2.1AS.i386.rpm
44b516e32296194ee2f4087a5f1b673e  postgresql-odbc-7.1.3-6.rhel2.1AS.i386.rpm
6b4f6323a147590a7347cbf0f92042e5  postgresql-perl-7.1.3-6.rhel2.1AS.i386.rpm
cdbe160b61882748a38f7cc9d251ab61  postgresql-python-7.1.3-6.rhel2.1AS.i386.rpm
b1b051ed6aaf151c461ccf39a460f8bc  postgresql-server-7.1.3-6.rhel2.1AS.i386.rpm
24a53c8b9b10697f2cfa6c690cc8b37b  postgresql-tcl-7.1.3-6.rhel2.1AS.i386.rpm
340239bd5986f62ec040ba42b12c108d  postgresql-test-7.1.3-6.rhel2.1AS.i386.rpm
a79a012ff3eadfd2630dc863b29479dc  postgresql-tk-7.1.3-6.rhel2.1AS.i386.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0227
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0247

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
The Difference Between Wi-Fi Security Protocols: WPA2-AES vs WPA2-TKIP
Segmenting for security: Five steps to protect your network
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.