Red Hat Product Errata RHSA-2007:0067 - Security Advisory
Issued:
2007-02-07
Updated:
2007-02-07

RHSA-2007:0067 - Security Advisory

Synopsis

Moderate: postgresql security update

Type/Severity

Security Advisory: Moderate

Topic

Updated postgresql packages that fix several security vulnerabilities are
now available for the Red Hat Application Stack.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

PostgreSQL is an advanced Object-Relational database management system
(DBMS).

Two flaws were found in the way the PostgreSQL server handles certain
SQL-language functions. An authenticated user could execute a sequence of
command which could crash the PostgreSQL server or possibly read from
arbitrary memory locations. A user must have permissions to drop and add
database tables to exploit this flaw. (CVE-2007-0555, CVE-2007-0556)

Several denial of service flaws were found in the PostgreSQL server. An
authenticated user could execute an SQL command which could crash the
PostgreSQL server. (CVE-2006-5540, CVE-2006-5541, CVE-2006-5542)

Users of PostgreSQL should upgrade to these updated packages containing
PostgreSQL version 8.1.7, which corrects these issues.

Note: The original PostgreSQL 8.1.7 security patch contained an error; this
release includes the updated patch and so is equivalent to the
soon-to-be-released 8.1.8.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Affected Products

  • Red Hat Application Stack 1 1 x86_64
  • Red Hat Application Stack 1 1 i386

Fixes

  • BZ - 225543 - CVE-2007-0555 PostgreSQL arbitrary memory read flaws (CVE-2007-0556)
  • BZ - 227299 - CVE-2006-5540 New version fixes three different crash vulnerabilities (CVE-2006-5541, CVE-2006-5542)
  • BZ - 227542 - Attribute type error when updating varchar column

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.