__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN PostgreSQL Vulnerabilities [Red Hat Security Advisory RHSA-2005:141-06] February 14, 2005 19:00 GMT Number P-139 [REVISED 15 Feb 2005] [REVISED 16 Feb 2005] [REVISED 22 Feb 2005] [REVISED 11 Mar 2005] ______________________________________________________________________________ PROBLEM: Multiple security vulnerabilities were found in PostgreSQL. PostgreSQL is an advanced Object-Relational database management system. PLATFORM: Red Hat Desktop (v. 3) & (v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 2.1 and 3) & (v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 3.0 (woody) SGI Advanced Linux Environment 3 for Patch 10144 for SGI ProPack 3 Service Pack 4 DAMAGE: - A flaw in the load command may allow an attacker to load arbitrary shared libraries and therefore execute arbitrary code, gaining the privileges of the PostgreSQL server. - A permission checking flaw may allow a local attacker to bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. - Multiple buffer overflows were found in PL/PgSQL. An attacker who has permissions to create plpgsql functions could trigger this flaw which could lead to arbitrary code execution, gaining the privileges of the PostgreSQL server. - A flaw in the integer aggregator (intagg) contrib module for PostgreSQL was found. A user could create carefully crafted arrays and cause a denial of service (crash). SOLUTION: Apply the updated packages. ______________________________________________________________________________ VULNERABILITY The risk is LOW. The most severe of the vulnerabilities may ASSESSMENT: allow a local attacker to execute arbitrary code with the privileges of the PostgreSQL server. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-139.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2005-141.html ADDITIONAL LINKS: Debian Security Advisory DSA-683-1 http://www.debian.org/security/2005/dsa-683 Red Hat Security Advisory RHSA-2005:150-04 https://rhn.redhat.com/errata/RHSA-2005-150.html Red Hat Security Advisory RHSA-2005:138-15 https://rhn.redhat.com/errata/RHSA-2005-138.html SGI Security Advisory 20050207-01-U Security Update #27 http://www.sgi.com/support/security/advisories.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-0227 CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247 ______________________________________________________________________________ REVISION HISTORY: 02/15/2005 - added link to Debian Security Advisory DSA-683 that provides updated packages for this vulnerability. 02/16/2005 - added link to Red Hat Security Advisory RHSA-2005:150 that provides updated packages for Red Hat Enterprise Linux AS, ES, WS (v. 2.1) and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor. 02/22/2005 - revised to add a link to Red Hat Security Advisory RHSA-2005:138-15 that provides updated packages for Red Hat Desktop (v. 4) and Red Hat Enterprise Linux AS, ES, WS (v. 4). 03/11/2005 - revised to add a link to SGI Security Advisory 20050207-01-U SGI Advanced Linux Environment 3 Security Update #27 for Patch 10144 for SGI ProPack 3 Service Pack 4. [***** Start Red Hat Security Advisory RHSA-2005:141-06 *****] Updated PostgreSQL packages fix security flaw Advisory: RHSA-2005:141-06 Last updated on: 2005-02-14 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CAN-2005-0227 CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247 back Security Advisory Security Advisory Details: Updated PostgreSQL packages to fix various security flaws are now available for Red Hat Enterprise Linux 3. PostgreSQL is an advanced Object-Relational database management system (DBMS). A flaw in the LOAD command in PostgreSQL was discovered. A local user could use this flaw to load arbitrary shared librarys and therefore execute arbitrary code, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0227 to this issue. A permission checking flaw in PostgreSQL was discovered. A local user could bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0244 to this issue. Multiple buffer overflows were found in PL/PgSQL. A database user who has permissions to create plpgsql functions could trigger this flaw which could lead to arbitrary code execution, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0245 and CAN-2005-0247 to these issues. A flaw in the integer aggregator (intagg) contrib module for PostgreSQL was found. A user could create carefully crafted arrays and cause a denial of service (crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0246 to this issue. Users of PostgreSQL are advised to update to these erratum packages which are not vulnerable to these issues. Updated packages: Red Hat Desktop (v. 3) SRPMS: rh-postgresql-7.3.9-2.src.rpm d7e0166d63a69d5de5e0e1bc5aef60f8 IA-32: rh-postgresql-7.3.9-2.i386.rpm bbda297807058422007d369c0125eeaf rh-postgresql-contrib-7.3.9-2.i386.rpm 8fc7edfaf1568a03acbd5115de34978f rh-postgresql-devel-7.3.9-2.i386.rpm 4a09cdc893fb6797e0ffe085b5a8783c rh-postgresql-docs-7.3.9-2.i386.rpm 9e5f03e6d01b3237502c37e6ea653170 rh-postgresql-jdbc-7.3.9-2.i386.rpm 4b9eb6ae98b2fff2496d4a316520ab06 rh-postgresql-libs-7.3.9-2.i386.rpm 3bf0cc89de753a52ec2801a66ce62c40 rh-postgresql-pl-7.3.9-2.i386.rpm 6dd7dcbbb970c62dd5b656c9f1fcef14 rh-postgresql-python-7.3.9-2.i386.rpm dfce8147f3c3ec731726fee42a5734b0 rh-postgresql-server-7.3.9-2.i386.rpm 5c069acc2d5efa9aece0fa717424db5f rh-postgresql-tcl-7.3.9-2.i386.rpm a384b55177e9a12df15d8c6f07e7a0f8 rh-postgresql-test-7.3.9-2.i386.rpm bed2c20fe6e2f7dc4bcb4c3687779e58 x86_64: rh-postgresql-7.3.9-2.x86_64.rpm 1c3b7c2b14a7345d9065a0a97e6b52db rh-postgresql-contrib-7.3.9-2.x86_64.rpm 686e75800933f57d8105e3f4ab0e8f46 rh-postgresql-devel-7.3.9-2.x86_64.rpm a4cb3f19cc3c1be23e8389021614f308 rh-postgresql-docs-7.3.9-2.x86_64.rpm 5ded9b59cfb60ead579b048cf4e9940c rh-postgresql-jdbc-7.3.9-2.x86_64.rpm 19ebbf32a7ba65a36876a2ffebc4f8db rh-postgresql-libs-7.3.9-2.i386.rpm 3bf0cc89de753a52ec2801a66ce62c40 rh-postgresql-libs-7.3.9-2.x86_64.rpm dc0df74725fb6172f6075624ae6c419a rh-postgresql-pl-7.3.9-2.x86_64.rpm 2916093c9e1932018518590220e81a33 rh-postgresql-python-7.3.9-2.x86_64.rpm 379679fd5b69a5ce3fd3b130ec9237ac rh-postgresql-server-7.3.9-2.x86_64.rpm f186f6e9f751dd9e330f04451cda5502 rh-postgresql-tcl-7.3.9-2.x86_64.rpm cd0226d815f1a3aa8b459d6ab8755b9b rh-postgresql-test-7.3.9-2.x86_64.rpm d9902b4dc666aa06c5a682479bd69414 Red Hat Enterprise Linux AS (v. 3) SRPMS: rh-postgresql-7.3.9-2.src.rpm d7e0166d63a69d5de5e0e1bc5aef60f8 IA-32: rh-postgresql-7.3.9-2.i386.rpm bbda297807058422007d369c0125eeaf rh-postgresql-contrib-7.3.9-2.i386.rpm 8fc7edfaf1568a03acbd5115de34978f rh-postgresql-devel-7.3.9-2.i386.rpm 4a09cdc893fb6797e0ffe085b5a8783c rh-postgresql-docs-7.3.9-2.i386.rpm 9e5f03e6d01b3237502c37e6ea653170 rh-postgresql-jdbc-7.3.9-2.i386.rpm 4b9eb6ae98b2fff2496d4a316520ab06 rh-postgresql-libs-7.3.9-2.i386.rpm 3bf0cc89de753a52ec2801a66ce62c40 rh-postgresql-pl-7.3.9-2.i386.rpm 6dd7dcbbb970c62dd5b656c9f1fcef14 rh-postgresql-python-7.3.9-2.i386.rpm dfce8147f3c3ec731726fee42a5734b0 rh-postgresql-server-7.3.9-2.i386.rpm 5c069acc2d5efa9aece0fa717424db5f rh-postgresql-tcl-7.3.9-2.i386.rpm a384b55177e9a12df15d8c6f07e7a0f8 rh-postgresql-test-7.3.9-2.i386.rpm bed2c20fe6e2f7dc4bcb4c3687779e58 IA-64: rh-postgresql-7.3.9-2.ia64.rpm d906482baa890d04ad8d6949a529125b rh-postgresql-contrib-7.3.9-2.ia64.rpm ece55251c5ea6a43b5e8edffea595489 rh-postgresql-devel-7.3.9-2.ia64.rpm 70dc55b0285c54063487fe27ff822f55 rh-postgresql-docs-7.3.9-2.ia64.rpm a87851c125b49306c066df1f27c1ea68 rh-postgresql-jdbc-7.3.9-2.ia64.rpm 142c6032193b2275faa3127092bad054 rh-postgresql-libs-7.3.9-2.i386.rpm 3bf0cc89de753a52ec2801a66ce62c40 rh-postgresql-libs-7.3.9-2.ia64.rpm 4f164abc495f2a9a12631c0abf27f7e6 rh-postgresql-pl-7.3.9-2.ia64.rpm e948c5a3b147f0ce3f69541a4153f585 rh-postgresql-python-7.3.9-2.ia64.rpm 523d1556a903bcede193228f5dc993c9 rh-postgresql-server-7.3.9-2.ia64.rpm 5c48d37c6f94d74968f0fbb5ee4e8f6d rh-postgresql-tcl-7.3.9-2.ia64.rpm df69f3a1d8280044b3d9cf7022918be8 rh-postgresql-test-7.3.9-2.ia64.rpm a1444b3550909f34d215503af95a7c9a PPC: rh-postgresql-7.3.9-2.ppc.rpm a41e0871c6a681a23e5fa2187b4ba2a0 rh-postgresql-contrib-7.3.9-2.ppc.rpm d3f7ba9d38a86ce833a1fedcf94e7caa rh-postgresql-devel-7.3.9-2.ppc.rpm 86f32293a93a0804dd225c9409631b25 rh-postgresql-docs-7.3.9-2.ppc.rpm 3fc6f9d2ff2b35f687176d491ded220f rh-postgresql-jdbc-7.3.9-2.ppc.rpm 09528c86da9cd45360e53226315769db rh-postgresql-libs-7.3.9-2.ppc.rpm 668c545bb4a2cfde48a5ce1b7658583d rh-postgresql-libs-7.3.9-2.ppc64.rpm cf103666dd780ca3f199744b3b467522 rh-postgresql-pl-7.3.9-2.ppc.rpm 2efabab55f040b8f54739f49fcb6d03c rh-postgresql-python-7.3.9-2.ppc.rpm ab45b46daeaa4495cab1a2551878e40a rh-postgresql-server-7.3.9-2.ppc.rpm 72f9134c7e78420a145f1fcfcc346e8d rh-postgresql-tcl-7.3.9-2.ppc.rpm c85ddcd2fb4f2a57176077011843814d rh-postgresql-test-7.3.9-2.ppc.rpm 77c4d5eb4e5b75931b57a9f772bae92f s390: rh-postgresql-7.3.9-2.s390.rpm 05b778370c8b431e96943b3291bf5a6c rh-postgresql-contrib-7.3.9-2.s390.rpm 00fc47107793663e23b95316057b6738 rh-postgresql-devel-7.3.9-2.s390.rpm 2977d142539b258dbf3e0d69b7c867d5 rh-postgresql-docs-7.3.9-2.s390.rpm 3067688d64ac485b029ede16aaa3219e rh-postgresql-jdbc-7.3.9-2.s390.rpm e7f20f7e3b18c26ed9d238fbce779663 rh-postgresql-libs-7.3.9-2.s390.rpm f9953fbfbe2402e3bf50fbbc4885817b rh-postgresql-pl-7.3.9-2.s390.rpm 3126d60ff453ddb2dd43ff5056596674 rh-postgresql-python-7.3.9-2.s390.rpm 0f0a9f63d67e78e22352f2db5d622a56 rh-postgresql-server-7.3.9-2.s390.rpm 652451b6b9118d2dc69afdba2967cfa1 rh-postgresql-tcl-7.3.9-2.s390.rpm 543108437e2dd66b5f9a30afac9d77d1 rh-postgresql-test-7.3.9-2.s390.rpm 4df282764f29b9dc4561f26552416d58 s390x: rh-postgresql-7.3.9-2.s390x.rpm c401fa6abfdf8da8f8a37ee7aa30ee73 rh-postgresql-contrib-7.3.9-2.s390x.rpm 2029193c8192e262796761cd420354f6 rh-postgresql-devel-7.3.9-2.s390x.rpm 355e4a55d8157827afbcd9aee2fa9b04 rh-postgresql-docs-7.3.9-2.s390x.rpm ba4b53a329b8d7c2c7adf30e804d3893 rh-postgresql-jdbc-7.3.9-2.s390x.rpm d3d3321a69023cec34e9c5803359b8b3 rh-postgresql-libs-7.3.9-2.s390.rpm f9953fbfbe2402e3bf50fbbc4885817b rh-postgresql-libs-7.3.9-2.s390x.rpm 76ebacfcec62259fd7cfd61e40838afa rh-postgresql-pl-7.3.9-2.s390x.rpm 7e94aef7989b1f07f26ed31f47c4e76b rh-postgresql-python-7.3.9-2.s390x.rpm ecfdb590f30eeeb9c5d358bae8ef541d rh-postgresql-server-7.3.9-2.s390x.rpm 3ab722ed50a074519613e3c9d70e1295 rh-postgresql-tcl-7.3.9-2.s390x.rpm 16552d280eadabe8cd1b71e7a42fd2d1 rh-postgresql-test-7.3.9-2.s390x.rpm a40548f0ad23b94a3fa579fd8da8f4a7 x86_64: rh-postgresql-7.3.9-2.x86_64.rpm 1c3b7c2b14a7345d9065a0a97e6b52db rh-postgresql-contrib-7.3.9-2.x86_64.rpm 686e75800933f57d8105e3f4ab0e8f46 rh-postgresql-devel-7.3.9-2.x86_64.rpm a4cb3f19cc3c1be23e8389021614f308 rh-postgresql-docs-7.3.9-2.x86_64.rpm 5ded9b59cfb60ead579b048cf4e9940c rh-postgresql-jdbc-7.3.9-2.x86_64.rpm 19ebbf32a7ba65a36876a2ffebc4f8db rh-postgresql-libs-7.3.9-2.i386.rpm 3bf0cc89de753a52ec2801a66ce62c40 rh-postgresql-libs-7.3.9-2.x86_64.rpm dc0df74725fb6172f6075624ae6c419a rh-postgresql-pl-7.3.9-2.x86_64.rpm 2916093c9e1932018518590220e81a33 rh-postgresql-python-7.3.9-2.x86_64.rpm 379679fd5b69a5ce3fd3b130ec9237ac rh-postgresql-server-7.3.9-2.x86_64.rpm f186f6e9f751dd9e330f04451cda5502 rh-postgresql-tcl-7.3.9-2.x86_64.rpm cd0226d815f1a3aa8b459d6ab8755b9b rh-postgresql-test-7.3.9-2.x86_64.rpm d9902b4dc666aa06c5a682479bd69414 Red Hat Enterprise Linux ES (v. 3) SRPMS: rh-postgresql-7.3.9-2.src.rpm d7e0166d63a69d5de5e0e1bc5aef60f8 IA-32: rh-postgresql-7.3.9-2.i386.rpm bbda297807058422007d369c0125eeaf rh-postgresql-contrib-7.3.9-2.i386.rpm 8fc7edfaf1568a03acbd5115de34978f rh-postgresql-devel-7.3.9-2.i386.rpm 4a09cdc893fb6797e0ffe085b5a8783c rh-postgresql-docs-7.3.9-2.i386.rpm 9e5f03e6d01b3237502c37e6ea653170 rh-postgresql-jdbc-7.3.9-2.i386.rpm 4b9eb6ae98b2fff2496d4a316520ab06 rh-postgresql-libs-7.3.9-2.i386.rpm 3bf0cc89de753a52ec2801a66ce62c40 rh-postgresql-pl-7.3.9-2.i386.rpm 6dd7dcbbb970c62dd5b656c9f1fcef14 rh-postgresql-python-7.3.9-2.i386.rpm dfce8147f3c3ec731726fee42a5734b0 rh-postgresql-server-7.3.9-2.i386.rpm 5c069acc2d5efa9aece0fa717424db5f rh-postgresql-tcl-7.3.9-2.i386.rpm a384b55177e9a12df15d8c6f07e7a0f8 rh-postgresql-test-7.3.9-2.i386.rpm bed2c20fe6e2f7dc4bcb4c3687779e58 IA-64: rh-postgresql-7.3.9-2.ia64.rpm d906482baa890d04ad8d6949a529125b rh-postgresql-contrib-7.3.9-2.ia64.rpm ece55251c5ea6a43b5e8edffea595489 rh-postgresql-devel-7.3.9-2.ia64.rpm 70dc55b0285c54063487fe27ff822f55 rh-postgresql-docs-7.3.9-2.ia64.rpm a87851c125b49306c066df1f27c1ea68 rh-postgresql-jdbc-7.3.9-2.ia64.rpm 142c6032193b2275faa3127092bad054 rh-postgresql-libs-7.3.9-2.i386.rpm 3bf0cc89de753a52ec2801a66ce62c40 rh-postgresql-libs-7.3.9-2.ia64.rpm 4f164abc495f2a9a12631c0abf27f7e6 rh-postgresql-pl-7.3.9-2.ia64.rpm e948c5a3b147f0ce3f69541a4153f585 rh-postgresql-python-7.3.9-2.ia64.rpm 523d1556a903bcede193228f5dc993c9 rh-postgresql-server-7.3.9-2.ia64.rpm 5c48d37c6f94d74968f0fbb5ee4e8f6d rh-postgresql-tcl-7.3.9-2.ia64.rpm df69f3a1d8280044b3d9cf7022918be8 rh-postgresql-test-7.3.9-2.ia64.rpm a1444b3550909f34d215503af95a7c9a x86_64: rh-postgresql-7.3.9-2.x86_64.rpm 1c3b7c2b14a7345d9065a0a97e6b52db rh-postgresql-contrib-7.3.9-2.x86_64.rpm 686e75800933f57d8105e3f4ab0e8f46 rh-postgresql-devel-7.3.9-2.x86_64.rpm a4cb3f19cc3c1be23e8389021614f308 rh-postgresql-docs-7.3.9-2.x86_64.rpm 5ded9b59cfb60ead579b048cf4e9940c rh-postgresql-jdbc-7.3.9-2.x86_64.rpm 19ebbf32a7ba65a36876a2ffebc4f8db rh-postgresql-libs-7.3.9-2.i386.rpm 3bf0cc89de753a52ec2801a66ce62c40 rh-postgresql-libs-7.3.9-2.x86_64.rpm dc0df74725fb6172f6075624ae6c419a rh-postgresql-pl-7.3.9-2.x86_64.rpm 2916093c9e1932018518590220e81a33 rh-postgresql-python-7.3.9-2.x86_64.rpm 379679fd5b69a5ce3fd3b130ec9237ac rh-postgresql-server-7.3.9-2.x86_64.rpm f186f6e9f751dd9e330f04451cda5502 rh-postgresql-tcl-7.3.9-2.x86_64.rpm cd0226d815f1a3aa8b459d6ab8755b9b rh-postgresql-test-7.3.9-2.x86_64.rpm d9902b4dc666aa06c5a682479bd69414 Red Hat Enterprise Linux WS (v. 3) SRPMS: rh-postgresql-7.3.9-2.src.rpm d7e0166d63a69d5de5e0e1bc5aef60f8 IA-32: rh-postgresql-7.3.9-2.i386.rpm bbda297807058422007d369c0125eeaf rh-postgresql-contrib-7.3.9-2.i386.rpm 8fc7edfaf1568a03acbd5115de34978f rh-postgresql-devel-7.3.9-2.i386.rpm 4a09cdc893fb6797e0ffe085b5a8783c rh-postgresql-docs-7.3.9-2.i386.rpm 9e5f03e6d01b3237502c37e6ea653170 rh-postgresql-jdbc-7.3.9-2.i386.rpm 4b9eb6ae98b2fff2496d4a316520ab06 rh-postgresql-libs-7.3.9-2.i386.rpm 3bf0cc89de753a52ec2801a66ce62c40 rh-postgresql-pl-7.3.9-2.i386.rpm 6dd7dcbbb970c62dd5b656c9f1fcef14 rh-postgresql-python-7.3.9-2.i386.rpm dfce8147f3c3ec731726fee42a5734b0 rh-postgresql-server-7.3.9-2.i386.rpm 5c069acc2d5efa9aece0fa717424db5f rh-postgresql-tcl-7.3.9-2.i386.rpm a384b55177e9a12df15d8c6f07e7a0f8 rh-postgresql-test-7.3.9-2.i386.rpm bed2c20fe6e2f7dc4bcb4c3687779e58 IA-64: rh-postgresql-7.3.9-2.ia64.rpm d906482baa890d04ad8d6949a529125b rh-postgresql-contrib-7.3.9-2.ia64.rpm ece55251c5ea6a43b5e8edffea595489 rh-postgresql-devel-7.3.9-2.ia64.rpm 70dc55b0285c54063487fe27ff822f55 rh-postgresql-docs-7.3.9-2.ia64.rpm a87851c125b49306c066df1f27c1ea68 rh-postgresql-jdbc-7.3.9-2.ia64.rpm 142c6032193b2275faa3127092bad054 rh-postgresql-libs-7.3.9-2.i386.rpm 3bf0cc89de753a52ec2801a66ce62c40 rh-postgresql-libs-7.3.9-2.ia64.rpm 4f164abc495f2a9a12631c0abf27f7e6 rh-postgresql-pl-7.3.9-2.ia64.rpm e948c5a3b147f0ce3f69541a4153f585 rh-postgresql-python-7.3.9-2.ia64.rpm 523d1556a903bcede193228f5dc993c9 rh-postgresql-server-7.3.9-2.ia64.rpm 5c48d37c6f94d74968f0fbb5ee4e8f6d rh-postgresql-tcl-7.3.9-2.ia64.rpm df69f3a1d8280044b3d9cf7022918be8 rh-postgresql-test-7.3.9-2.ia64.rpm a1444b3550909f34d215503af95a7c9a x86_64: rh-postgresql-7.3.9-2.x86_64.rpm 1c3b7c2b14a7345d9065a0a97e6b52db rh-postgresql-contrib-7.3.9-2.x86_64.rpm 686e75800933f57d8105e3f4ab0e8f46 rh-postgresql-devel-7.3.9-2.x86_64.rpm a4cb3f19cc3c1be23e8389021614f308 rh-postgresql-docs-7.3.9-2.x86_64.rpm 5ded9b59cfb60ead579b048cf4e9940c rh-postgresql-jdbc-7.3.9-2.x86_64.rpm 19ebbf32a7ba65a36876a2ffebc4f8db rh-postgresql-libs-7.3.9-2.i386.rpm 3bf0cc89de753a52ec2801a66ce62c40 rh-postgresql-libs-7.3.9-2.x86_64.rpm dc0df74725fb6172f6075624ae6c419a rh-postgresql-pl-7.3.9-2.x86_64.rpm 2916093c9e1932018518590220e81a33 rh-postgresql-python-7.3.9-2.x86_64.rpm 379679fd5b69a5ce3fd3b130ec9237ac rh-postgresql-server-7.3.9-2.x86_64.rpm f186f6e9f751dd9e330f04451cda5502 rh-postgresql-tcl-7.3.9-2.x86_64.rpm cd0226d815f1a3aa8b459d6ab8755b9b rh-postgresql-test-7.3.9-2.x86_64.rpm d9902b4dc666aa06c5a682479bd69414 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 147442 - CAN-2005-0227 Multiple security issues in PostgreSQL (CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0227 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0245 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0246 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0247 These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat Security Advisory RHSA-2005:141-06 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-129: Microsoft Vulnerability in Server Message Block P-130: Microsoft Vulnerability in Microsoft Office XP P-131: Vulnerability in Windows Shell P-132: Microsoft Vulnerability in the License Logging Service P-133: Symantec UPX Parsing Engine Vulnerability P-134: Microsoft Vulnerability in Windows SharePoint Services and SharePoint Team Services P-135: HP-UX ftpd Remote Privileged Access P-136: Microsoft PNG Processing Vulnerability P-137: Mailman Vulnerabilities P-138: Updated Squid Package Fixes Security Issues