---------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Moderate: postgresql security update
Advisory ID: RHSA-2007:0067-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0067.html
Issue date: 2007-02-07
Updated on: 2007-02-07
Product: Red Hat Application Stack
CVE Names: CVE-2007-0555 CVE-2007-0556 CVE-2006-5540
CVE-2006-5541 CVE-2006-5542
- ---------------------------------------------------------------------
1. Summary:
Updated postgresql packages that fix several security vulnerabilities are
now available for the Red Hat Application Stack.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64
Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64
3. Problem description:
PostgreSQL is an advanced Object-Relational database management system
(DBMS).
Two flaws were found in the way the PostgreSQL server handles certain
SQL-language functions. An authenticated user could execute a sequence of
command which could crash the PostgreSQL server or possibly read from
arbitrary memory locations. A user must have permissions to drop and add
database tables to exploit this flaw. (CVE-2007-0555, CVE-2007-0556)
Several denial of service flaws were found in the PostgreSQL server. An
authenticated user could execute an SQL command which could crash the
PostgreSQL server. (CVE-2006-5540, CVE-2006-5541, CVE-2006-5542)
Users of PostgreSQL should upgrade to these updated packages containing
PostgreSQL version 8.1.7, which corrects these issues.
Note: The original PostgreSQL 8.1.7 security patch contained an error; this
release includes the updated patch and so is equivalent to the
soon-to-be-released 8.1.8.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. Bug IDs fixed (
http://bugzilla.redhat.com/):
225543 - CVE-2007-0555 PostgreSQL arbitrary memory read flaws (CVE-2007-0556)
227299 - CVE-2006-5540 New version fixes three different crash vulnerabilities (CVE-2006-5541, CVE-2006-5542)
227542 - Attribute type error when updating varchar column
6. RPMs required:
Red Hat Application Stack v1 for Enterprise Linux AS (v.4):
SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/postgresql-8.1.7-3.el4s1.1.src.rpm
45bcce54c270fd2f45d2699acff84f15 postgresql-8.1.7-3.el4s1.1.src.rpm
i386:
c6a46625d9bea44b11124d3a66d96e9b postgresql-8.1.7-3.el4s1.1.i386.rpm
df169915db46942012553d8081a4b3e5 postgresql-contrib-8.1.7-3.el4s1.1.i386.rpm
5e371f2543c84a7b39114b9e2b196d50 postgresql-debuginfo-8.1.7-3.el4s1.1.i386.rpm
9cda736cdb9a5693ee58755e597fe642 postgresql-devel-8.1.7-3.el4s1.1.i386.rpm
3987bad06885307647eeb306343afdc4 postgresql-docs-8.1.7-3.el4s1.1.i386.rpm
f01b6879753c511e872d9a9280a17457 postgresql-libs-8.1.7-3.el4s1.1.i386.rpm
e67b3a9842f3e7df38728b039ff39a07 postgresql-pl-8.1.7-3.el4s1.1.i386.rpm
07ec3d3cdab7acfd656526a2307f4f82 postgresql-python-8.1.7-3.el4s1.1.i386.rpm
e0a1a1e8fd021aa8f48525964c91d404 postgresql-server-8.1.7-3.el4s1.1.i386.rpm
44960f2637577c4af090044005e77d6f postgresql-tcl-8.1.7-3.el4s1.1.i386.rpm
a079aa11e843f8cd39d64d12e84c4c6e postgresql-test-8.1.7-3.el4s1.1.i386.rpm
x86_64:
c254f9f1b3f7d65b39f7e32132c94376 postgresql-8.1.7-3.el4s1.1.x86_64.rpm
ccdcf0cddc657b4dcf14f4a0b55cc668 postgresql-contrib-8.1.7-3.el4s1.1.x86_64.rpm
5e371f2543c84a7b39114b9e2b196d50 postgresql-debuginfo-8.1.7-3.el4s1.1.i386.rpm
22e892be6b087d3184b6e5d9bc283a19 postgresql-debuginfo-8.1.7-3.el4s1.1.x86_64.rpm
9a93c6cf1e6e3924ea032be6e7e07716 postgresql-devel-8.1.7-3.el4s1.1.x86_64.rpm
5c14bb68f28ef09d925e81ca0179ce61 postgresql-docs-8.1.7-3.el4s1.1.x86_64.rpm
f01b6879753c511e872d9a9280a17457 postgresql-libs-8.1.7-3.el4s1.1.i386.rpm
b73d1df15aaed9c98d248e369cb36839 postgresql-libs-8.1.7-3.el4s1.1.x86_64.rpm
0179aa38ed819c9127f0581f6176f522 postgresql-pl-8.1.7-3.el4s1.1.x86_64.rpm
ce253fbaf33d46734431ac4e7e02ac8a postgresql-python-8.1.7-3.el4s1.1.x86_64.rpm
e9d1dd41d9b2c5b40cd675c0346c2f83 postgresql-server-8.1.7-3.el4s1.1.x86_64.rpm
d6dcb504c7775094c2de709151d9d170 postgresql-tcl-8.1.7-3.el4s1.1.x86_64.rpm
93ce219b21d4ef3611c2491c9546c35f postgresql-test-8.1.7-3.el4s1.1.x86_64.rpm
Red Hat Application Stack v1 for Enterprise Linux ES (v.4):
SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/postgresql-8.1.7-3.el4s1.1.src.rpm
45bcce54c270fd2f45d2699acff84f15 postgresql-8.1.7-3.el4s1.1.src.rpm
i386:
c6a46625d9bea44b11124d3a66d96e9b postgresql-8.1.7-3.el4s1.1.i386.rpm
df169915db46942012553d8081a4b3e5 postgresql-contrib-8.1.7-3.el4s1.1.i386.rpm
5e371f2543c84a7b39114b9e2b196d50 postgresql-debuginfo-8.1.7-3.el4s1.1.i386.rpm
9cda736cdb9a5693ee58755e597fe642 postgresql-devel-8.1.7-3.el4s1.1.i386.rpm
3987bad06885307647eeb306343afdc4 postgresql-docs-8.1.7-3.el4s1.1.i386.rpm
f01b6879753c511e872d9a9280a17457 postgresql-libs-8.1.7-3.el4s1.1.i386.rpm
e67b3a9842f3e7df38728b039ff39a07 postgresql-pl-8.1.7-3.el4s1.1.i386.rpm
07ec3d3cdab7acfd656526a2307f4f82 postgresql-python-8.1.7-3.el4s1.1.i386.rpm
e0a1a1e8fd021aa8f48525964c91d404 postgresql-server-8.1.7-3.el4s1.1.i386.rpm
44960f2637577c4af090044005e77d6f postgresql-tcl-8.1.7-3.el4s1.1.i386.rpm
a079aa11e843f8cd39d64d12e84c4c6e postgresql-test-8.1.7-3.el4s1.1.i386.rpm
x86_64:
c254f9f1b3f7d65b39f7e32132c94376 postgresql-8.1.7-3.el4s1.1.x86_64.rpm
ccdcf0cddc657b4dcf14f4a0b55cc668 postgresql-contrib-8.1.7-3.el4s1.1.x86_64.rpm
5e371f2543c84a7b39114b9e2b196d50 postgresql-debuginfo-8.1.7-3.el4s1.1.i386.rpm
22e892be6b087d3184b6e5d9bc283a19 postgresql-debuginfo-8.1.7-3.el4s1.1.x86_64.rpm
9a93c6cf1e6e3924ea032be6e7e07716 postgresql-devel-8.1.7-3.el4s1.1.x86_64.rpm
5c14bb68f28ef09d925e81ca0179ce61 postgresql-docs-8.1.7-3.el4s1.1.x86_64.rpm
f01b6879753c511e872d9a9280a17457 postgresql-libs-8.1.7-3.el4s1.1.i386.rpm
b73d1df15aaed9c98d248e369cb36839 postgresql-libs-8.1.7-3.el4s1.1.x86_64.rpm
0179aa38ed819c9127f0581f6176f522 postgresql-pl-8.1.7-3.el4s1.1.x86_64.rpm
ce253fbaf33d46734431ac4e7e02ac8a postgresql-python-8.1.7-3.el4s1.1.x86_64.rpm
e9d1dd41d9b2c5b40cd675c0346c2f83 postgresql-server-8.1.7-3.el4s1.1.x86_64.rpm
d6dcb504c7775094c2de709151d9d170 postgresql-tcl-8.1.7-3.el4s1.1.x86_64.rpm
93ce219b21d4ef3611c2491c9546c35f postgresql-test-8.1.7-3.el4s1.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5540
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5542
http://www.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFFyjANXlSAg2UNWIIRAl0dAKCnTiii4u8LzvZ8zMVDG3ecFBSlfACfbJm+
3ivmH1ga5Yo0xZhILjJmAho=
=64QJ
-----END PGP SIGNATURE-----
