RHSA-2003:314 - Security Advisory
postgresql security update
Security Advisory: Moderate
Updated PostgreSQL packages that correct a buffer overflow in the to_ascii
routines are now available.
PostgreSQL is an advanced Object-Relational database management system
Two bugs that can lead to buffer overflows have been found in the
PostgreSQL abstract data type to ASCII conversion routines. A remote
attacker who is able to influence the data passed to the to_ascii functions
may be able to execute arbitrary code in the context of the PostgreSQL
server. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0901 to these issues.
In addition, a bug that can lead to leaks has been found in the string to
timestamp abstract data type conversion routine. If the input string to
the to_timestamp() routine is shorter than what the template string is
expecting, the routine will run off the end of the input string, resulting
in a leak and unstable behaviour.
Users of PostgreSQL are advised to upgrade to these erratum packages, which
contain a backported patch that corrects these issues.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
Please note that this update is available via Red Hat Network. To use Red
Hat Network, launch the Red Hat Update Agent with the following command:
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
Note that no initdb will be necessary from previous PostgreSQL packages.
- Red Hat Enterprise Linux Server 2 ia64
- Red Hat Enterprise Linux Server 2 i386
- Red Hat Enterprise Linux Workstation 2 ia64
- Red Hat Enterprise Linux Workstation 2 i386
- BZ - 108578 - CAN-2003-0901 PostgreSQL To_Ascii() Buffer Overflow Vulnerability
- BZ - 109067 - to_timestamp not stable if date string shorter than template
Red Hat Enterprise Linux Server 2
Red Hat Enterprise Linux Workstation 2