Security Advisory Moderate: postgresql security update

Advisory: RHSA-2008:0039-4
Type: Security Advisory
Severity: Moderate
Issued on: 2008-01-11
Last updated on: 2008-01-11
Affected Products: Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
OVAL: com.redhat.rhsa-20080039.xml
CVEs (cve.mitre.org): CVE-2007-3278
CVE-2007-6600
CVE-2007-6601

Details

Updated postgresql packages that fix several security issues are now
available for Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

PostgreSQL is an advanced Object-Relational database management system
(DBMS). The postgresql packages include the client programs and libraries
needed to access a PostgreSQL DBMS server.

A privilege escalation flaw was discovered in PostgreSQL. An authenticated
attacker could create an index function that would be executed with
administrator privileges during database maintenance tasks, such as
database vacuuming. (CVE-2007-6600)

A privilege escalation flaw was discovered in PostgreSQL's Database Link
library (dblink). An authenticated attacker could use dblink to possibly
escalate privileges on systems with "trust" or "ident" authentication
configured. Please note that dblink functionality is not enabled by
default, and can only by enabled by a database administrator on systems
with the postgresql-contrib package installed.
(CVE-2007-3278, CVE-2007-6601)

All postgresql users should upgrade to these updated packages, which
include PostgreSQL 7.3.21 and resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 3)
SRPMS:
rh-postgresql-7.3.21-1.src.rpm     6c8c6e0e5a5a8bdf23b70efdd359c655
 
IA-32:
rh-postgresql-7.3.21-1.i386.rpm     85c024635a87e12463084f021772d993
rh-postgresql-contrib-7.3.21-1.i386.rpm     5d1f7e1513c1cfa8a88ef9915217e672
rh-postgresql-devel-7.3.21-1.i386.rpm     ba92c5c7a572b8c5128e39a9c01ccaca
rh-postgresql-docs-7.3.21-1.i386.rpm     ebf3e445fc2580de65d79645cb52aeab
rh-postgresql-jdbc-7.3.21-1.i386.rpm     ba566c462c5a04fd029bd9e9a6855e2c
rh-postgresql-libs-7.3.21-1.i386.rpm     859c09fd6e750f2576799f52fa124615
rh-postgresql-pl-7.3.21-1.i386.rpm     64f99cfc0ff854bfdd8b3afe154934ab
rh-postgresql-python-7.3.21-1.i386.rpm     a01fc261b68f3daac618099a16e95317
rh-postgresql-server-7.3.21-1.i386.rpm     1fb5ff7ed75e00286f0c9975258fc763
rh-postgresql-tcl-7.3.21-1.i386.rpm     ef879862d3307c4c7cd7024d6848b6c8
rh-postgresql-test-7.3.21-1.i386.rpm     ed7b7f14931e3a3823e6f303c008529d
 
x86_64:
rh-postgresql-7.3.21-1.x86_64.rpm     1b0b6508ade111951464234bd79fa474
rh-postgresql-contrib-7.3.21-1.x86_64.rpm     debc0b82a041a888a1d4194d9f5b7173
rh-postgresql-devel-7.3.21-1.x86_64.rpm     5a3051b89d657fee6387621eb863d6ed
rh-postgresql-docs-7.3.21-1.x86_64.rpm     b4fc8bdb50e4b36cdff0baf39739a4e2
rh-postgresql-jdbc-7.3.21-1.x86_64.rpm     545a5f8bc892ff424595c7baa8263c19
rh-postgresql-libs-7.3.21-1.i386.rpm     859c09fd6e750f2576799f52fa124615
rh-postgresql-libs-7.3.21-1.x86_64.rpm     87057325e95ddde7bd38d973cb09ff42
rh-postgresql-pl-7.3.21-1.x86_64.rpm     e56701e81078acc34c4c69edae4429ab
rh-postgresql-python-7.3.21-1.x86_64.rpm     5bdea372d28500c29682e04cd10b53e3
rh-postgresql-server-7.3.21-1.x86_64.rpm     af28503b849e6f090eee889180fa9f98
rh-postgresql-tcl-7.3.21-1.x86_64.rpm     c6d5082a5bfd0ab3780bbb6fa96755aa
rh-postgresql-test-7.3.21-1.x86_64.rpm     95fda6a70428ed006db45afc59d4603b
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
rh-postgresql-7.3.21-1.src.rpm     6c8c6e0e5a5a8bdf23b70efdd359c655
 
IA-32:
rh-postgresql-7.3.21-1.i386.rpm     85c024635a87e12463084f021772d993
rh-postgresql-contrib-7.3.21-1.i386.rpm     5d1f7e1513c1cfa8a88ef9915217e672
rh-postgresql-devel-7.3.21-1.i386.rpm     ba92c5c7a572b8c5128e39a9c01ccaca
rh-postgresql-docs-7.3.21-1.i386.rpm     ebf3e445fc2580de65d79645cb52aeab
rh-postgresql-jdbc-7.3.21-1.i386.rpm     ba566c462c5a04fd029bd9e9a6855e2c
rh-postgresql-libs-7.3.21-1.i386.rpm     859c09fd6e750f2576799f52fa124615
rh-postgresql-pl-7.3.21-1.i386.rpm     64f99cfc0ff854bfdd8b3afe154934ab
rh-postgresql-python-7.3.21-1.i386.rpm     a01fc261b68f3daac618099a16e95317
rh-postgresql-server-7.3.21-1.i386.rpm     1fb5ff7ed75e00286f0c9975258fc763
rh-postgresql-tcl-7.3.21-1.i386.rpm     ef879862d3307c4c7cd7024d6848b6c8
rh-postgresql-test-7.3.21-1.i386.rpm     ed7b7f14931e3a3823e6f303c008529d
 
IA-64:
rh-postgresql-7.3.21-1.ia64.rpm     e98226c75ef756b7624c1cffa7aee8fb
rh-postgresql-contrib-7.3.21-1.ia64.rpm     964a9241544f0368f4ff100847b3049c
rh-postgresql-devel-7.3.21-1.ia64.rpm     135d69b43f0f81b12b2d3a3e1695eaa9
rh-postgresql-docs-7.3.21-1.ia64.rpm     82ce005a4dc9ff5489b0dfd4dfeaa932
rh-postgresql-jdbc-7.3.21-1.ia64.rpm     a14d843020cb59e9b5bf31199aa9d3a7
rh-postgresql-libs-7.3.21-1.i386.rpm     859c09fd6e750f2576799f52fa124615
rh-postgresql-libs-7.3.21-1.ia64.rpm     df5044fd3395fd27ebb6678cb4e1fbeb
rh-postgresql-pl-7.3.21-1.ia64.rpm     e4c0df47e554e88bf5fad881a0654aac
rh-postgresql-python-7.3.21-1.ia64.rpm     fb7ee541bedec902bf3a881eec45c8d4
rh-postgresql-server-7.3.21-1.ia64.rpm     f56117499cc353721d9305634c66176f
rh-postgresql-tcl-7.3.21-1.ia64.rpm     16e28790666e9cb37bd36cf50910f675
rh-postgresql-test-7.3.21-1.ia64.rpm     b3c6f14836029a86ed2fd998ac1659e9
 
PPC:
rh-postgresql-7.3.21-1.ppc.rpm     59554ba3d217411412ce4530cf258ac3
rh-postgresql-contrib-7.3.21-1.ppc.rpm     54eb3ccae4923f741ac7e85789b93797
rh-postgresql-devel-7.3.21-1.ppc.rpm     fed934c9495995ec004463427d4b95cb
rh-postgresql-docs-7.3.21-1.ppc.rpm     3fe175132412cc702c91b784fa2c66eb
rh-postgresql-jdbc-7.3.21-1.ppc.rpm     e19b3150095894cbbef0d05816543ce7
rh-postgresql-libs-7.3.21-1.ppc.rpm     13444c5d3672b96996b58410bda79f13
rh-postgresql-libs-7.3.21-1.ppc64.rpm     bc4614aba39a341d42cb0780c2fec855
rh-postgresql-pl-7.3.21-1.ppc.rpm     ffd096d05a632eda70d45edb16994753
rh-postgresql-python-7.3.21-1.ppc.rpm     7d86b3bee704a212615025d0a3fbc798
rh-postgresql-server-7.3.21-1.ppc.rpm     6d756a16a734394a6172331021c5f45a
rh-postgresql-tcl-7.3.21-1.ppc.rpm     a891265d3794c410246fc5da0ee03bff
rh-postgresql-test-7.3.21-1.ppc.rpm     48e38d3ea8b51c4318ca204f75f2ad85
 
s390:
rh-postgresql-7.3.21-1.s390.rpm     31b82c3526d96e304838d677f66fc1a4
rh-postgresql-contrib-7.3.21-1.s390.rpm     67659e2ab5c6074e237d4b74578995c2
rh-postgresql-devel-7.3.21-1.s390.rpm     7c6d858ff88f3c79917ed16a1299ee49
rh-postgresql-docs-7.3.21-1.s390.rpm     5d05b54b958c67f60df81e0afb9446ed
rh-postgresql-jdbc-7.3.21-1.s390.rpm     bf2ddd6dbacd71c01a80be8ca5238a89
rh-postgresql-libs-7.3.21-1.s390.rpm     fbca4eb2c4c26115964161dbb12a1eb9
rh-postgresql-pl-7.3.21-1.s390.rpm     fcf300556763432e5b1afa84e7b649c7
rh-postgresql-python-7.3.21-1.s390.rpm     a3134e27025f3270656db38c951c37e8
rh-postgresql-server-7.3.21-1.s390.rpm     c009be1b6995330b076e1674e9a4cb38
rh-postgresql-tcl-7.3.21-1.s390.rpm     ba9e492bfc8fb9139489dff1d426aff7
rh-postgresql-test-7.3.21-1.s390.rpm     6fcf32c50095de1811969f6840afa7cf
 
s390x:
rh-postgresql-7.3.21-1.s390x.rpm     f91519562d826b3bf435893fef73d0a2
rh-postgresql-contrib-7.3.21-1.s390x.rpm     1f812237a3b2984912dfbed0125d27e9
rh-postgresql-devel-7.3.21-1.s390x.rpm     7c81ed073bbe5297c413d2578a55c620
rh-postgresql-docs-7.3.21-1.s390x.rpm     af4f55584fa26d48f4c671f6584821cb
rh-postgresql-jdbc-7.3.21-1.s390x.rpm     bfb3ec8b32cee5451ff6e2a3c9832bdf
rh-postgresql-libs-7.3.21-1.s390.rpm     fbca4eb2c4c26115964161dbb12a1eb9
rh-postgresql-libs-7.3.21-1.s390x.rpm     c21466f28ca246306d95bd4fdb6db944
rh-postgresql-pl-7.3.21-1.s390x.rpm     cd343360a8444fce3f7b7d70cd44954d
rh-postgresql-python-7.3.21-1.s390x.rpm     da5ee23c92cd088abd122bed0b7337d9
rh-postgresql-server-7.3.21-1.s390x.rpm     4fdbd661da8f7c1f3a5e1211108c4fed
rh-postgresql-tcl-7.3.21-1.s390x.rpm     f1d812747e1b788b94d4f0554a743782
rh-postgresql-test-7.3.21-1.s390x.rpm     ff6c7998c29982460d944e9f9b293792
 
x86_64:
rh-postgresql-7.3.21-1.x86_64.rpm     1b0b6508ade111951464234bd79fa474
rh-postgresql-contrib-7.3.21-1.x86_64.rpm     debc0b82a041a888a1d4194d9f5b7173
rh-postgresql-devel-7.3.21-1.x86_64.rpm     5a3051b89d657fee6387621eb863d6ed
rh-postgresql-docs-7.3.21-1.x86_64.rpm     b4fc8bdb50e4b36cdff0baf39739a4e2
rh-postgresql-jdbc-7.3.21-1.x86_64.rpm     545a5f8bc892ff424595c7baa8263c19
rh-postgresql-libs-7.3.21-1.i386.rpm     859c09fd6e750f2576799f52fa124615
rh-postgresql-libs-7.3.21-1.x86_64.rpm     87057325e95ddde7bd38d973cb09ff42
rh-postgresql-pl-7.3.21-1.x86_64.rpm     e56701e81078acc34c4c69edae4429ab
rh-postgresql-python-7.3.21-1.x86_64.rpm     5bdea372d28500c29682e04cd10b53e3
rh-postgresql-server-7.3.21-1.x86_64.rpm     af28503b849e6f090eee889180fa9f98
rh-postgresql-tcl-7.3.21-1.x86_64.rpm     c6d5082a5bfd0ab3780bbb6fa96755aa
rh-postgresql-test-7.3.21-1.x86_64.rpm     95fda6a70428ed006db45afc59d4603b
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
rh-postgresql-7.3.21-1.src.rpm     6c8c6e0e5a5a8bdf23b70efdd359c655
 
IA-32:
rh-postgresql-7.3.21-1.i386.rpm     85c024635a87e12463084f021772d993
rh-postgresql-contrib-7.3.21-1.i386.rpm     5d1f7e1513c1cfa8a88ef9915217e672
rh-postgresql-devel-7.3.21-1.i386.rpm     ba92c5c7a572b8c5128e39a9c01ccaca
rh-postgresql-docs-7.3.21-1.i386.rpm     ebf3e445fc2580de65d79645cb52aeab
rh-postgresql-jdbc-7.3.21-1.i386.rpm     ba566c462c5a04fd029bd9e9a6855e2c
rh-postgresql-libs-7.3.21-1.i386.rpm     859c09fd6e750f2576799f52fa124615
rh-postgresql-pl-7.3.21-1.i386.rpm     64f99cfc0ff854bfdd8b3afe154934ab
rh-postgresql-python-7.3.21-1.i386.rpm     a01fc261b68f3daac618099a16e95317
rh-postgresql-server-7.3.21-1.i386.rpm     1fb5ff7ed75e00286f0c9975258fc763
rh-postgresql-tcl-7.3.21-1.i386.rpm     ef879862d3307c4c7cd7024d6848b6c8
rh-postgresql-test-7.3.21-1.i386.rpm     ed7b7f14931e3a3823e6f303c008529d
 
IA-64:
rh-postgresql-7.3.21-1.ia64.rpm     e98226c75ef756b7624c1cffa7aee8fb
rh-postgresql-contrib-7.3.21-1.ia64.rpm     964a9241544f0368f4ff100847b3049c
rh-postgresql-devel-7.3.21-1.ia64.rpm     135d69b43f0f81b12b2d3a3e1695eaa9
rh-postgresql-docs-7.3.21-1.ia64.rpm     82ce005a4dc9ff5489b0dfd4dfeaa932
rh-postgresql-jdbc-7.3.21-1.ia64.rpm     a14d843020cb59e9b5bf31199aa9d3a7
rh-postgresql-libs-7.3.21-1.i386.rpm     859c09fd6e750f2576799f52fa124615
rh-postgresql-libs-7.3.21-1.ia64.rpm     df5044fd3395fd27ebb6678cb4e1fbeb
rh-postgresql-pl-7.3.21-1.ia64.rpm     e4c0df47e554e88bf5fad881a0654aac
rh-postgresql-python-7.3.21-1.ia64.rpm     fb7ee541bedec902bf3a881eec45c8d4
rh-postgresql-server-7.3.21-1.ia64.rpm     f56117499cc353721d9305634c66176f
rh-postgresql-tcl-7.3.21-1.ia64.rpm     16e28790666e9cb37bd36cf50910f675
rh-postgresql-test-7.3.21-1.ia64.rpm     b3c6f14836029a86ed2fd998ac1659e9
 
x86_64:
rh-postgresql-7.3.21-1.x86_64.rpm     1b0b6508ade111951464234bd79fa474
rh-postgresql-contrib-7.3.21-1.x86_64.rpm     debc0b82a041a888a1d4194d9f5b7173
rh-postgresql-devel-7.3.21-1.x86_64.rpm     5a3051b89d657fee6387621eb863d6ed
rh-postgresql-docs-7.3.21-1.x86_64.rpm     b4fc8bdb50e4b36cdff0baf39739a4e2
rh-postgresql-jdbc-7.3.21-1.x86_64.rpm     545a5f8bc892ff424595c7baa8263c19
rh-postgresql-libs-7.3.21-1.i386.rpm     859c09fd6e750f2576799f52fa124615
rh-postgresql-libs-7.3.21-1.x86_64.rpm     87057325e95ddde7bd38d973cb09ff42
rh-postgresql-pl-7.3.21-1.x86_64.rpm     e56701e81078acc34c4c69edae4429ab
rh-postgresql-python-7.3.21-1.x86_64.rpm     5bdea372d28500c29682e04cd10b53e3
rh-postgresql-server-7.3.21-1.x86_64.rpm     af28503b849e6f090eee889180fa9f98
rh-postgresql-tcl-7.3.21-1.x86_64.rpm     c6d5082a5bfd0ab3780bbb6fa96755aa
rh-postgresql-test-7.3.21-1.x86_64.rpm     95fda6a70428ed006db45afc59d4603b
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
rh-postgresql-7.3.21-1.src.rpm     6c8c6e0e5a5a8bdf23b70efdd359c655
 
IA-32:
rh-postgresql-7.3.21-1.i386.rpm     85c024635a87e12463084f021772d993
rh-postgresql-contrib-7.3.21-1.i386.rpm     5d1f7e1513c1cfa8a88ef9915217e672
rh-postgresql-devel-7.3.21-1.i386.rpm     ba92c5c7a572b8c5128e39a9c01ccaca
rh-postgresql-docs-7.3.21-1.i386.rpm     ebf3e445fc2580de65d79645cb52aeab
rh-postgresql-jdbc-7.3.21-1.i386.rpm     ba566c462c5a04fd029bd9e9a6855e2c
rh-postgresql-libs-7.3.21-1.i386.rpm     859c09fd6e750f2576799f52fa124615
rh-postgresql-pl-7.3.21-1.i386.rpm     64f99cfc0ff854bfdd8b3afe154934ab
rh-postgresql-python-7.3.21-1.i386.rpm     a01fc261b68f3daac618099a16e95317
rh-postgresql-server-7.3.21-1.i386.rpm     1fb5ff7ed75e00286f0c9975258fc763
rh-postgresql-tcl-7.3.21-1.i386.rpm     ef879862d3307c4c7cd7024d6848b6c8
rh-postgresql-test-7.3.21-1.i386.rpm     ed7b7f14931e3a3823e6f303c008529d
 
IA-64:
rh-postgresql-7.3.21-1.ia64.rpm     e98226c75ef756b7624c1cffa7aee8fb
rh-postgresql-contrib-7.3.21-1.ia64.rpm     964a9241544f0368f4ff100847b3049c
rh-postgresql-devel-7.3.21-1.ia64.rpm     135d69b43f0f81b12b2d3a3e1695eaa9
rh-postgresql-docs-7.3.21-1.ia64.rpm     82ce005a4dc9ff5489b0dfd4dfeaa932
rh-postgresql-jdbc-7.3.21-1.ia64.rpm     a14d843020cb59e9b5bf31199aa9d3a7
rh-postgresql-libs-7.3.21-1.i386.rpm     859c09fd6e750f2576799f52fa124615
rh-postgresql-libs-7.3.21-1.ia64.rpm     df5044fd3395fd27ebb6678cb4e1fbeb
rh-postgresql-pl-7.3.21-1.ia64.rpm     e4c0df47e554e88bf5fad881a0654aac
rh-postgresql-python-7.3.21-1.ia64.rpm     fb7ee541bedec902bf3a881eec45c8d4
rh-postgresql-server-7.3.21-1.ia64.rpm     f56117499cc353721d9305634c66176f
rh-postgresql-tcl-7.3.21-1.ia64.rpm     16e28790666e9cb37bd36cf50910f675
rh-postgresql-test-7.3.21-1.ia64.rpm     b3c6f14836029a86ed2fd998ac1659e9
 
x86_64:
rh-postgresql-7.3.21-1.x86_64.rpm     1b0b6508ade111951464234bd79fa474
rh-postgresql-contrib-7.3.21-1.x86_64.rpm     debc0b82a041a888a1d4194d9f5b7173
rh-postgresql-devel-7.3.21-1.x86_64.rpm     5a3051b89d657fee6387621eb863d6ed
rh-postgresql-docs-7.3.21-1.x86_64.rpm     b4fc8bdb50e4b36cdff0baf39739a4e2
rh-postgresql-jdbc-7.3.21-1.x86_64.rpm     545a5f8bc892ff424595c7baa8263c19
rh-postgresql-libs-7.3.21-1.i386.rpm     859c09fd6e750f2576799f52fa124615
rh-postgresql-libs-7.3.21-1.x86_64.rpm     87057325e95ddde7bd38d973cb09ff42
rh-postgresql-pl-7.3.21-1.x86_64.rpm     e56701e81078acc34c4c69edae4429ab
rh-postgresql-python-7.3.21-1.x86_64.rpm     5bdea372d28500c29682e04cd10b53e3
rh-postgresql-server-7.3.21-1.x86_64.rpm     af28503b849e6f090eee889180fa9f98
rh-postgresql-tcl-7.3.21-1.x86_64.rpm     c6d5082a5bfd0ab3780bbb6fa96755aa
rh-postgresql-test-7.3.21-1.x86_64.rpm     95fda6a70428ed006db45afc59d4603b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

309141 - CVE-2007-3278 dblink allows proxying of database connections via 127.0.0.1
427127 - CVE-2007-6600 PostgreSQL privilege escalation
427128 - CVE-2007-6601 PostgreSQL privilege escalation via dblink


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6601
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/