Red Hat 9062 Published by

A postgresql security update is available for Red Hat Enterprise Linux 2.1

----------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Important: postgresql security update
Advisory ID: RHSA-2005:150-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-150.html
Issue date: 2005-02-16
Updated on: 2005-02-16
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-0227 CAN-2005-0245 CAN-2005-0247
----------------------------------------------------------------------

1. Summary:

Updated PostgreSQL packages to fix various security flaws are now available for Red Hat Enterprise Linux 2.1AS.

This update has been rated as having important security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386



3. Problem description:

PostgreSQL is an advanced Object-Relational database management system (DBMS).

A flaw in the LOAD command in PostgreSQL was discovered. A local user could use this flaw to load arbitrary shared libraries and therefore execute arbitrary code, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0227 to this issue.

Multiple buffer overflows were found in PL/PgSQL. A database user who has permissions to create plpgsql functions could trigger this flaw which could lead to arbitrary code execution, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0245 and CAN-2005-0247 to these issues.

Users of PostgreSQL are advised to update to these erratum packages which are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

147703 - CAN-2005-0227 Multiple security and data-loss issues in PostgreSQL (CAN-2004-0977 CAN-2005-0245 CAN-2005-0247)
130818 - PostgreSQL can lose committed transactions

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/postgresql-7.1.3-6.rhel2.1AS.src.rpm
d6372acaa5a690ea28fa6db8514467f4 postgresql-7.1.3-6.rhel2.1AS.src.rpm

i386:
d5dd4645e60377652a3b20b8ea2075c8 postgresql-7.1.3-6.rhel2.1AS.i386.rpm
900fff68faddf8a4a74d9f28c1798228 postgresql-contrib-7.1.3-6.rhel2.1AS.i386.rpm
fa7a457aca0a82c84695343029f01daa postgresql-devel-7.1.3-6.rhel2.1AS.i386.rpm
6413c9dff17164013e41dfc7e9abc4fb postgresql-docs-7.1.3-6.rhel2.1AS.i386.rpm
14052b797b37408cc83842869128602b postgresql-jdbc-7.1.3-6.rhel2.1AS.i386.rpm
5f63b3466fad8ba0c95ca8f895c01d52 postgresql-libs-7.1.3-6.rhel2.1AS.i386.rpm
44b516e32296194ee2f4087a5f1b673e postgresql-odbc-7.1.3-6.rhel2.1AS.i386.rpm
6b4f6323a147590a7347cbf0f92042e5 postgresql-perl-7.1.3-6.rhel2.1AS.i386.rpm
cdbe160b61882748a38f7cc9d251ab61 postgresql-python-7.1.3-6.rhel2.1AS.i386.rpm
b1b051ed6aaf151c461ccf39a460f8bc postgresql-server-7.1.3-6.rhel2.1AS.i386.rpm
24a53c8b9b10697f2cfa6c690cc8b37b postgresql-tcl-7.1.3-6.rhel2.1AS.i386.rpm
340239bd5986f62ec040ba42b12c108d postgresql-test-7.1.3-6.rhel2.1AS.i386.rpm
a79a012ff3eadfd2630dc863b29479dc postgresql-tk-7.1.3-6.rhel2.1AS.i386.rpm

ia64:
ab956518e3d0a552e193316444fdebe8 postgresql-7.1.3-6.rhel2.1AS.ia64.rpm
7af5314c1bfaadcf4f8837caa41b5b9b postgresql-contrib-7.1.3-6.rhel2.1AS.ia64.rpm
9b8d0b95c2c386dd16ca225185c70446 postgresql-devel-7.1.3-6.rhel2.1AS.ia64.rpm
8f178d5340ef48550351970e0954bcb6 postgresql-docs-7.1.3-6.rhel2.1AS.ia64.rpm
53a27c906e4930481e3d8bccac9b1aed postgresql-jdbc-7.1.3-6.rhel2.1AS.ia64.rpm
9426664bacc88b2836f917c00ae8022d postgresql-libs-7.1.3-6.rhel2.1AS.ia64.rpm
f764dc209d0447701ca238571d192d43 postgresql-odbc-7.1.3-6.rhel2.1AS.ia64.rpm
59054a3ca270a50180dabf602f3fc64a postgresql-perl-7.1.3-6.rhel2.1AS.ia64.rpm
d0f46f72f7e01f1db5f4226813bde4d9 postgresql-python-7.1.3-6.rhel2.1AS.ia64.rpm
cfba743e7d03547bb4042a7e35821f89 postgresql-server-7.1.3-6.rhel2.1AS.ia64.rpm
39886dba0d0b65c0df5ac717eb947c38 postgresql-tcl-7.1.3-6.rhel2.1AS.ia64.rpm
7a37f6ece0ca1f03fd54c83b70379c85 postgresql-test-7.1.3-6.rhel2.1AS.ia64.rpm
db8137c889d035f1cf4ab47e6687cfaf postgresql-tk-7.1.3-6.rhel2.1AS.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/postgresql-7.1.3-6.rhel2.1AS.src.rpm
d6372acaa5a690ea28fa6db8514467f4 postgresql-7.1.3-6.rhel2.1AS.src.rpm

ia64:
ab956518e3d0a552e193316444fdebe8 postgresql-7.1.3-6.rhel2.1AS.ia64.rpm
7af5314c1bfaadcf4f8837caa41b5b9b postgresql-contrib-7.1.3-6.rhel2.1AS.ia64.rpm
9b8d0b95c2c386dd16ca225185c70446 postgresql-devel-7.1.3-6.rhel2.1AS.ia64.rpm
8f178d5340ef48550351970e0954bcb6 postgresql-docs-7.1.3-6.rhel2.1AS.ia64.rpm
53a27c906e4930481e3d8bccac9b1aed postgresql-jdbc-7.1.3-6.rhel2.1AS.ia64.rpm
9426664bacc88b2836f917c00ae8022d postgresql-libs-7.1.3-6.rhel2.1AS.ia64.rpm
f764dc209d0447701ca238571d192d43 postgresql-odbc-7.1.3-6.rhel2.1AS.ia64.rpm
59054a3ca270a50180dabf602f3fc64a postgresql-perl-7.1.3-6.rhel2.1AS.ia64.rpm
d0f46f72f7e01f1db5f4226813bde4d9 postgresql-python-7.1.3-6.rhel2.1AS.ia64.rpm
cfba743e7d03547bb4042a7e35821f89 postgresql-server-7.1.3-6.rhel2.1AS.ia64.rpm
39886dba0d0b65c0df5ac717eb947c38 postgresql-tcl-7.1.3-6.rhel2.1AS.ia64.rpm
7a37f6ece0ca1f03fd54c83b70379c85 postgresql-test-7.1.3-6.rhel2.1AS.ia64.rpm
db8137c889d035f1cf4ab47e6687cfaf postgresql-tk-7.1.3-6.rhel2.1AS.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/postgresql-7.1.3-6.rhel2.1AS.src.rpm
d6372acaa5a690ea28fa6db8514467f4 postgresql-7.1.3-6.rhel2.1AS.src.rpm

i386:
d5dd4645e60377652a3b20b8ea2075c8 postgresql-7.1.3-6.rhel2.1AS.i386.rpm
900fff68faddf8a4a74d9f28c1798228 postgresql-contrib-7.1.3-6.rhel2.1AS.i386.rpm
fa7a457aca0a82c84695343029f01daa postgresql-devel-7.1.3-6.rhel2.1AS.i386.rpm
6413c9dff17164013e41dfc7e9abc4fb postgresql-docs-7.1.3-6.rhel2.1AS.i386.rpm
14052b797b37408cc83842869128602b postgresql-jdbc-7.1.3-6.rhel2.1AS.i386.rpm
5f63b3466fad8ba0c95ca8f895c01d52 postgresql-libs-7.1.3-6.rhel2.1AS.i386.rpm
44b516e32296194ee2f4087a5f1b673e postgresql-odbc-7.1.3-6.rhel2.1AS.i386.rpm
6b4f6323a147590a7347cbf0f92042e5 postgresql-perl-7.1.3-6.rhel2.1AS.i386.rpm
cdbe160b61882748a38f7cc9d251ab61 postgresql-python-7.1.3-6.rhel2.1AS.i386.rpm
b1b051ed6aaf151c461ccf39a460f8bc postgresql-server-7.1.3-6.rhel2.1AS.i386.rpm
24a53c8b9b10697f2cfa6c690cc8b37b postgresql-tcl-7.1.3-6.rhel2.1AS.i386.rpm
340239bd5986f62ec040ba42b12c108d postgresql-test-7.1.3-6.rhel2.1AS.i386.rpm
a79a012ff3eadfd2630dc863b29479dc postgresql-tk-7.1.3-6.rhel2.1AS.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/postgresql-7.1.3-6.rhel2.1AS.src.rpm
d6372acaa5a690ea28fa6db8514467f4 postgresql-7.1.3-6.rhel2.1AS.src.rpm

i386:
d5dd4645e60377652a3b20b8ea2075c8 postgresql-7.1.3-6.rhel2.1AS.i386.rpm
900fff68faddf8a4a74d9f28c1798228 postgresql-contrib-7.1.3-6.rhel2.1AS.i386.rpm
fa7a457aca0a82c84695343029f01daa postgresql-devel-7.1.3-6.rhel2.1AS.i386.rpm
6413c9dff17164013e41dfc7e9abc4fb postgresql-docs-7.1.3-6.rhel2.1AS.i386.rpm
14052b797b37408cc83842869128602b postgresql-jdbc-7.1.3-6.rhel2.1AS.i386.rpm
5f63b3466fad8ba0c95ca8f895c01d52 postgresql-libs-7.1.3-6.rhel2.1AS.i386.rpm
44b516e32296194ee2f4087a5f1b673e postgresql-odbc-7.1.3-6.rhel2.1AS.i386.rpm
6b4f6323a147590a7347cbf0f92042e5 postgresql-perl-7.1.3-6.rhel2.1AS.i386.rpm
cdbe160b61882748a38f7cc9d251ab61 postgresql-python-7.1.3-6.rhel2.1AS.i386.rpm
b1b051ed6aaf151c461ccf39a460f8bc postgresql-server-7.1.3-6.rhel2.1AS.i386.rpm
24a53c8b9b10697f2cfa6c690cc8b37b postgresql-tcl-7.1.3-6.rhel2.1AS.i386.rpm
340239bd5986f62ec040ba42b12c108d postgresql-test-7.1.3-6.rhel2.1AS.i386.rpm
a79a012ff3eadfd2630dc863b29479dc postgresql-tk-7.1.3-6.rhel2.1AS.i386.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0227
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0247

8. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.