Red Hat Product Errata RHSA-2005:150 - Security Advisory
Issued:
2005-02-16
Updated:
2005-02-16

RHSA-2005:150 - Security Advisory

Synopsis

postgresql security update

Type/Severity

Security Advisory: Important

Topic

Updated PostgreSQL packages to fix various security flaws are now available
for Red Hat Enterprise Linux 2.1AS.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Description

PostgreSQL is an advanced Object-Relational database management system
(DBMS).

A flaw in the LOAD command in PostgreSQL was discovered. A local user
could use this flaw to load arbitrary shared libraries and therefore
execute arbitrary code, gaining the privileges of the PostgreSQL server.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0227 to this issue.

Multiple buffer overflows were found in PL/PgSQL. A database user who has
permissions to create plpgsql functions could trigger this flaw which could
lead to arbitrary code execution, gaining the privileges of the PostgreSQL
server. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CAN-2005-0245 and CAN-2005-0247 to these issues.

Users of PostgreSQL are advised to update to these erratum packages which
are not vulnerable to these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Affected Products

  • Red Hat Enterprise Linux Server 2 ia64
  • Red Hat Enterprise Linux Server 2 i386
  • Red Hat Enterprise Linux Workstation 2 ia64
  • Red Hat Enterprise Linux Workstation 2 i386

Fixes

  • BZ - 130818 - PostgreSQL can lose committed transactions
  • BZ - 147703 - CAN-2005-0227 Multiple security and data-loss issues in PostgreSQL (CAN-2004-0977 CAN-2005-0245 CAN-2005-0247)

References

(none)

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.