Skip to navigation

Security Advisory Moderate: postgresql security update

Advisory: RHSA-2008:0040-4
Type: Security Advisory
Severity: Moderate
Issued on: 2008-02-01
Last updated on: 2008-02-01
Affected Products: Red Hat Application Stack v1 for Enterprise Linux AS (v.4)
Red Hat Application Stack v1 for Enterprise Linux ES (v.4)
Red Hat Application Stack v2
CVEs (cve.mitre.org): CVE-2007-3278
CVE-2007-4769
CVE-2007-4772
CVE-2007-6067
CVE-2007-6600
CVE-2007-6601

Details

Updated postgresql packages that fix several security issues are now
available for Red Hat Application Stack v1 and v2.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

PostgreSQL is an advanced Object-Relational database management system
(DBMS). The postgresql packages include the client programs and libraries
needed to access a PostgreSQL DBMS server.

Will Drewry discovered multiple flaws in PostgreSQL's regular expression
engine. An authenticated attacker could use these flaws to cause a denial
of service by causing the PostgreSQL server to crash, enter an infinite
loop, or use extensive CPU and memory resources while processing queries
containing specially crafted regular expressions. Applications that accept
regular expressions from untrusted sources may expose this problem to
unauthorized attackers. (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067)

A privilege escalation flaw was discovered in PostgreSQL. An authenticated
attacker could create an index function that would be executed with
administrator privileges during database maintenance tasks, such as
database vacuuming. (CVE-2007-6600)

A privilege escalation flaw was discovered in PostgreSQL's Database Link
library (dblink). An authenticated attacker could use dblink to possibly
escalate privileges on systems with "trust" or "ident" authentication
configured. Please note that dblink functionality is not enabled by
default, and can only by enabled by a database administrator on systems
with the postgresql-contrib package installed.
(CVE-2007-3278, CVE-2007-6601)

All postgresql users should upgrade to these updated packages, which
include PostgreSQL 8.1.11 and 8.2.6, and resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Application Stack v1 for Enterprise Linux AS (v.4)

SRPMS:
postgresql-8.1.11-1.el4s1.1.src.rpm
File outdated by:  RHEA-2008:0975
    MD5: 7422cf0ddae811ef77f996cd1fb4d7c9
 
IA-32:
postgresql-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 639f6eb0e807b462455a354332a24c2f
postgresql-contrib-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: f21d4901a527603e85791d7897c34037
postgresql-devel-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: ca5f3b35684feaa228f1bf2a7baf34f5
postgresql-docs-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 3507f4ef581bafc810dee948313c0cb5
postgresql-libs-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 4fc91f180bbec078e47b4f148645f518
postgresql-pl-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 2e05ba90dbacb9d707b2282359717c01
postgresql-python-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 17c5373740736b8638c2ea40f366dfa9
postgresql-server-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 394e36762ae5961e8c81da7f1fd50b02
postgresql-tcl-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 1a2cccdf4bb9341322c4c2a339c74290
postgresql-test-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 0f5f3bdfd8fa8ec4be18c811d1a56215
 
x86_64:
postgresql-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: ca4b2d8fac1c00ab515679fff351982f
postgresql-contrib-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: 14e168176ef553d7eb300a673a517d36
postgresql-devel-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: 99072584dd2edd3398176643b91b9950
postgresql-docs-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: 93254c87640a395183e048aa7cbab0d2
postgresql-libs-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 4fc91f180bbec078e47b4f148645f518
postgresql-libs-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: 29bdef809549c576324cc00a3ceb93cf
postgresql-pl-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: 3e7ad55c88b75a349abc01ce968349be
postgresql-python-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: a7df3947dcddc112108c2e4fefd4154c
postgresql-server-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: b58a4d1a039c7ebb1a585876c34977fb
postgresql-tcl-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: fd80241be3149d6d32a3fa1d4276ae87
postgresql-test-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: 592c307d2d5c6c8f39898f1a94bdce97
 
Red Hat Application Stack v1 for Enterprise Linux ES (v.4)

SRPMS:
postgresql-8.1.11-1.el4s1.1.src.rpm
File outdated by:  RHEA-2008:0975
    MD5: 7422cf0ddae811ef77f996cd1fb4d7c9
 
IA-32:
postgresql-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 639f6eb0e807b462455a354332a24c2f
postgresql-contrib-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: f21d4901a527603e85791d7897c34037
postgresql-devel-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: ca5f3b35684feaa228f1bf2a7baf34f5
postgresql-docs-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 3507f4ef581bafc810dee948313c0cb5
postgresql-libs-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 4fc91f180bbec078e47b4f148645f518
postgresql-pl-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 2e05ba90dbacb9d707b2282359717c01
postgresql-python-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 17c5373740736b8638c2ea40f366dfa9
postgresql-server-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 394e36762ae5961e8c81da7f1fd50b02
postgresql-tcl-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 1a2cccdf4bb9341322c4c2a339c74290
postgresql-test-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 0f5f3bdfd8fa8ec4be18c811d1a56215
 
x86_64:
postgresql-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: ca4b2d8fac1c00ab515679fff351982f
postgresql-contrib-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: 14e168176ef553d7eb300a673a517d36
postgresql-devel-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: 99072584dd2edd3398176643b91b9950
postgresql-docs-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: 93254c87640a395183e048aa7cbab0d2
postgresql-libs-8.1.11-1.el4s1.1.i386.rpm
File outdated by:  RHEA-2008:0975
    MD5: 4fc91f180bbec078e47b4f148645f518
postgresql-libs-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: 29bdef809549c576324cc00a3ceb93cf
postgresql-pl-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: 3e7ad55c88b75a349abc01ce968349be
postgresql-python-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: a7df3947dcddc112108c2e4fefd4154c
postgresql-server-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: b58a4d1a039c7ebb1a585876c34977fb
postgresql-tcl-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: fd80241be3149d6d32a3fa1d4276ae87
postgresql-test-8.1.11-1.el4s1.1.x86_64.rpm
File outdated by:  RHEA-2008:0975
    MD5: 592c307d2d5c6c8f39898f1a94bdce97
 
Red Hat Application Stack v2

SRPMS:
postgresql-8.2.6-1.el5s2.src.rpm
File outdated by:  RHSA-2009:1461
    MD5: f97beb5cc939dcf7430368f3d6d82e4d
 
IA-32:
postgresql-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: d6c703a4550aa1f5a20479c3b430bb9b
postgresql-contrib-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: 672fef3e3948b6533f04aa96ccbdb991
postgresql-devel-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: 348cb782623d140efc1c42fe48912819
postgresql-docs-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: 36fea24b27a733c72bf14809b2083b7b
postgresql-libs-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: 4c87329c00948f05a9415fa7e769b06f
postgresql-plperl-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: a44d45770e3df6f9f44ce518300689f0
postgresql-plpython-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: 8581a51c274d2542ceebec19f0ebad36
postgresql-pltcl-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: 8940606506cf48a5098105fa29e540db
postgresql-python-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: ca1506e91f560e90d60f5da8830c82e2
postgresql-server-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: 34046ebcfc1f8648b7668c36867c17ed
postgresql-tcl-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: 7f0a3d7d966a4079d4b0a63cd67fbdbf
postgresql-test-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: 21e5640600b07536f575cfa3dffd08af
 
x86_64:
postgresql-8.2.6-1.el5s2.x86_64.rpm
File outdated by:  RHSA-2009:1461
    MD5: 9d83bfec4bbe44f2b62dece9ea94d8cc
postgresql-contrib-8.2.6-1.el5s2.x86_64.rpm
File outdated by:  RHSA-2009:1461
    MD5: e08b50f5bf35ae60b9c6df84b700a7d8
postgresql-devel-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: 348cb782623d140efc1c42fe48912819
postgresql-devel-8.2.6-1.el5s2.x86_64.rpm
File outdated by:  RHSA-2009:1461
    MD5: 36fba96419a6e8907838ec0a7caab626
postgresql-docs-8.2.6-1.el5s2.x86_64.rpm
File outdated by:  RHSA-2009:1461
    MD5: a1c5ff8c17743b8ac796eaf6fee6ca43
postgresql-libs-8.2.6-1.el5s2.i386.rpm
File outdated by:  RHSA-2009:1461
    MD5: 4c87329c00948f05a9415fa7e769b06f
postgresql-libs-8.2.6-1.el5s2.x86_64.rpm
File outdated by:  RHSA-2009:1461
    MD5: 53605ebd52efdf5ca4bac316f8c6d9ae
postgresql-plperl-8.2.6-1.el5s2.x86_64.rpm
File outdated by:  RHSA-2009:1461
    MD5: 2ec925d5170fc768975f938d5eb4978e
postgresql-plpython-8.2.6-1.el5s2.x86_64.rpm
File outdated by:  RHSA-2009:1461
    MD5: af58fe8e14eaa80c780f434cb5ffb013
postgresql-pltcl-8.2.6-1.el5s2.x86_64.rpm
File outdated by:  RHSA-2009:1461
    MD5: 9c5ac2c66cf3c820e2378f53a74c0959
postgresql-python-8.2.6-1.el5s2.x86_64.rpm
File outdated by:  RHSA-2009:1461
    MD5: 79228c3f413f82269218b0d4fefb2467
postgresql-server-8.2.6-1.el5s2.x86_64.rpm
File outdated by:  RHSA-2009:1461
    MD5: 2e97984958b1b5a8f8a7e1b466ae7354
postgresql-tcl-8.2.6-1.el5s2.x86_64.rpm
File outdated by:  RHSA-2009:1461
    MD5: d3d1e534a36b219fadd790dd8d5321c2
postgresql-test-8.2.6-1.el5s2.x86_64.rpm
File outdated by:  RHSA-2009:1461
    MD5: f1a2826650618da9259f557dd09bd201
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

309141 - CVE-2007-3278 dblink allows proxying of database connections via 127.0.0.1
315231 - CVE-2007-4769 postgresql integer overflow in regex code
316511 - CVE-2007-4772 postgresql DoS via infinite loop in regex NFA optimization code
400931 - CVE-2007-6067 postgresql: tempory DoS caused by slow regex NFA cleanup
427127 - CVE-2007-6600 PostgreSQL privilege escalation
427128 - CVE-2007-6601 PostgreSQL privilege escalation via dblink


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/