__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN PostgreSQL Security Update [Red Hat RHSA-2008:0038-7] January 11, 2008 19:00 GMT Number S-108 [REVISED 14 Jan 2008] [REVISED 16 Jan 2008] [REVISED 22 Feb 2008] [REVISED 2 Apr 2008] ______________________________________________________________________________ PROBLEM: There are multiple flaws in PostgreSQL. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Desktop (v. 3, v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 2.1, v.3, v.4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Red Hat Enterprise Linux (v. 5 server) RHEL Desktop Workstation (v. 5 Client) Red Hat Enterprise Linux Desktop (v. 5 client) Debian GNU/Linux 3.1 (oldstable) and 4.0 (stable) HP Internet Express for Tru64 UNIX v 6.7 and v 6.6 DAMAGE: An authenticated attaker could use these flaws to cause a denial of service by causing the PostgreSQL server to crash, enter an infininte loop, or use extensive CPU and memory resources while processing queries containing specially crafted regular expressions. Applications that accept regular expressions from untrusted sources may explose this problem to unauthorized attackers. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Could cause a denial of service and an ASSESSMENT: authenticated attacker could gain privilege escalation. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-108.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0038.html ADDITIONAL LINKS: https://rhn.redhat.com/errata/RHSA-2008-0039.html http://rhn.redhat.com/errata/RHSA-2008-0134.html http://www.debian.org/security/2008/dsa-1460 http://www.debian.org/security/2008/dsa-1463 Visit Hewlett-Packard Subscription Service for: HPSBTU02325 SSRT080006 rev. 1 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-3278 CVE-2007-4769 CVE-2007-4772 CVE-2007-6067 CVE-2007-6600 CVE-2007-6601 ______________________________________________________________________________ REVISION HISTORY: 01/14/2008 - revised S-108 to add a link to Debian Security Advisory DSA-1460-1 for Debian GNU/Linux 4.0 (stable). 01/16/2008 - revised S-108 to add a link to Debian Security Advisory DSA-1463-1 for Debian GNU/Linux 3.1 (oldstable) and 4.0 (stable). 02/22/2008 - revised S-108 to add a link to Red Hat RHSA-2008:0134-3 for Red Hat Desktop (v. 3, v. 4), Red Hat Enterprise Linux AS, ES, WS (v. 2.1, v.3, v.4), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor. 04/02/2008 - revised S-108 to add a link to Hewlett-Packard Subscription Service for HPSBTU02325 SSRT080006 rev. 1 for HP Internet Express for Tru64 UNIX v 6.7 and v 6.6. [***** Start Red Hat RHSA-2008:0038-7 *****] Moderate: postgresql security update Advisory: RHSA-2008:0038-7 Type: Security Advisory Severity: Moderate Issued on: 2008-01-11 Last updated on: 2008-01-11 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Desktop (v. 4) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) OVAL: com.redhat.rhsa-20080038.xml CVEs (cve.mitre.org): CVE-2007-3278 CVE-2007-4769 CVE-2007-4772 CVE-2007-6067 CVE-2007-6600 CVE-2007-6601 Details Updated postgresql packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PostgreSQL is an advanced Object-Relational database management system (DBMS). The postgresql packages include the client programs and libraries needed to access a PostgreSQL DBMS server. Will Drewry discovered multiple flaws in PostgreSQL's regular expression engine. An authenticated attacker could use these flaws to cause a denial of service by causing the PostgreSQL server to crash, enter an infinite loop, or use extensive CPU and memory resources while processing queries containing specially crafted regular expressions. Applications that accept regular expressions from untrusted sources may expose this problem to unauthorized attackers. (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067) A privilege escalation flaw was discovered in PostgreSQL. An authenticated attacker could create an index function that would be executed with administrator privileges during database maintenance tasks, such as database vacuuming. (CVE-2007-6600) A privilege escalation flaw was discovered in PostgreSQL's Database Link library (dblink). An authenticated attacker could use dblink to possibly escalate privileges on systems with "trust" or "ident" authentication configured. Please note that dblink functionality is not enabled by default, and can only by enabled by a database administrator on systems with the postgresql-contrib package installed. (CVE-2007-3278, CVE-2007-6601) All postgresql users should upgrade to these updated packages, which include PostgreSQL 7.4.19 and 8.1.11, and resolve these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: postgresql-devel-8.1.11-1.el5_1.1.i386.rpm 9f5e16d9e2d4aaf2abdbf69c6aac5c37 postgresql-pl-8.1.11-1.el5_1.1.i386.rpm 427dfc958021f5dfef0a89118d003623 postgresql-server-8.1.11-1.el5_1.1.i386.rpm 392e142e686f223c0a402059032ced14 postgresql-test-8.1.11-1.el5_1.1.i386.rpm 8916de8c89b8689cc1085e627eff85b6 x86_64: postgresql-devel-8.1.11-1.el5_1.1.i386.rpm 9f5e16d9e2d4aaf2abdbf69c6aac5c37 postgresql-devel-8.1.11-1.el5_1.1.x86_64.rpm 1d89d3f92dd9bbaa039f4a93d3bdc6de postgresql-pl-8.1.11-1.el5_1.1.x86_64.rpm ad102dbe8f50bf8da3a82596d9a8a82c postgresql-server-8.1.11-1.el5_1.1.x86_64.rpm 84ca45f7082f4efa73cb3913eea808cd postgresql-test-8.1.11-1.el5_1.1.x86_64.rpm 859cb07ae1488245e16f9709703cbdc9 Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: postgresql-7.4.19-1.el4_6.1.src.rpm 67a3b7c3801d0375ecba2c8a02637824 IA-32: postgresql-7.4.19-1.el4_6.1.i386.rpm 62559ac39a562a55b682fe902812756e postgresql-contrib-7.4.19-1.el4_6.1.i386.rpm 532c45ca232d8b30e23dc48cea31e23f postgresql-devel-7.4.19-1.el4_6.1.i386.rpm de0a08685f3c1c24ea463abb39187559 postgresql-docs-7.4.19-1.el4_6.1.i386.rpm c038d53938a6675e454f5e2125c14867 postgresql-jdbc-7.4.19-1.el4_6.1.i386.rpm 665e417d378c2c4613725d9bc57d325b postgresql-libs-7.4.19-1.el4_6.1.i386.rpm d39717ebc2946b1d198ea587fff2cf44 postgresql-pl-7.4.19-1.el4_6.1.i386.rpm d7f4e1d55451e95b6f1ee0f3e4dc15fc postgresql-python-7.4.19-1.el4_6.1.i386.rpm 0fdfc971966aa258f5f4f60d4c03a0b7 postgresql-server-7.4.19-1.el4_6.1.i386.rpm 1268c6338420fdb0a278377ac00b3b3a postgresql-tcl-7.4.19-1.el4_6.1.i386.rpm 136983a23016e1de06fb86b093e6a372 postgresql-test-7.4.19-1.el4_6.1.i386.rpm af42af3663f6ac77f024d85732bd0627 x86_64: postgresql-7.4.19-1.el4_6.1.x86_64.rpm 965b4e6d272bab2537a56a16e3b055c6 postgresql-contrib-7.4.19-1.el4_6.1.x86_64.rpm 8fdb2e855700cd3bcc93a3d9e666834d postgresql-devel-7.4.19-1.el4_6.1.x86_64.rpm 777a81bba53a63fc3a232c50ecf363c4 postgresql-docs-7.4.19-1.el4_6.1.x86_64.rpm 30ac8beac4c9bc4a4071ec566d5760ad postgresql-jdbc-7.4.19-1.el4_6.1.x86_64.rpm bb438646d3e84a3f8fe207f934bcd1a7 postgresql-libs-7.4.19-1.el4_6.1.i386.rpm d39717ebc2946b1d198ea587fff2cf44 postgresql-libs-7.4.19-1.el4_6.1.x86_64.rpm 02b0ce9e55856a12566d36ae0858725d postgresql-pl-7.4.19-1.el4_6.1.x86_64.rpm a745aa7617931cdb22594c88b6de6116 postgresql-python-7.4.19-1.el4_6.1.x86_64.rpm 8fd9be23a7b1b2aece7b007c2e86d107 postgresql-server-7.4.19-1.el4_6.1.x86_64.rpm ae2f4eec6a308026dad00198d8a4f1eb postgresql-tcl-7.4.19-1.el4_6.1.x86_64.rpm d423ae74537e582a5bb34fdbc6474162 postgresql-test-7.4.19-1.el4_6.1.x86_64.rpm 348bba254291c84773482e91d5c658ed Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: postgresql-8.1.11-1.el5_1.1.src.rpm 5eae5d61da4e8fef27eb9fd3a80d7982 IA-32: postgresql-8.1.11-1.el5_1.1.i386.rpm a00ec675e2fb394b2ac29b43a8a5e0a4 postgresql-contrib-8.1.11-1.el5_1.1.i386.rpm f344ce9a4564180f687d1cdb700e3ea9 postgresql-devel-8.1.11-1.el5_1.1.i386.rpm 9f5e16d9e2d4aaf2abdbf69c6aac5c37 postgresql-docs-8.1.11-1.el5_1.1.i386.rpm a5ff1c16023bac31164f9f2786d283b4 postgresql-libs-8.1.11-1.el5_1.1.i386.rpm 396e9512c057a47c5877e79b8752f714 postgresql-pl-8.1.11-1.el5_1.1.i386.rpm 427dfc958021f5dfef0a89118d003623 postgresql-python-8.1.11-1.el5_1.1.i386.rpm 9ad0e5e0421c47e464eac737c4258521 postgresql-server-8.1.11-1.el5_1.1.i386.rpm 392e142e686f223c0a402059032ced14 postgresql-tcl-8.1.11-1.el5_1.1.i386.rpm 8b753018f05a4b35e224ef75fe2bf99d postgresql-test-8.1.11-1.el5_1.1.i386.rpm 8916de8c89b8689cc1085e627eff85b6 IA-64: postgresql-8.1.11-1.el5_1.1.ia64.rpm b0bb11b6fb8cbbc63596bb6a1752aac3 postgresql-contrib-8.1.11-1.el5_1.1.ia64.rpm 86f67a1881eaaaee710c8e4f90ffd25b postgresql-devel-8.1.11-1.el5_1.1.ia64.rpm 46919f9fbfc717bd4377dc88a27e8e08 postgresql-docs-8.1.11-1.el5_1.1.ia64.rpm cac4872eccbdc53baabf98e78062b42a postgresql-libs-8.1.11-1.el5_1.1.i386.rpm 396e9512c057a47c5877e79b8752f714 postgresql-libs-8.1.11-1.el5_1.1.ia64.rpm 47c3517aa6dc4052c51a24c003f9e4ed postgresql-pl-8.1.11-1.el5_1.1.ia64.rpm 295d79bb831c98ec9866015bc57ab102 postgresql-python-8.1.11-1.el5_1.1.ia64.rpm 778e36cc94a16719c48431ff9cb1e3f8 postgresql-server-8.1.11-1.el5_1.1.ia64.rpm 2ac2de901412f632ec918b298eb4a669 postgresql-tcl-8.1.11-1.el5_1.1.ia64.rpm a3cc901087df762f6c2635d346e4c04f postgresql-test-8.1.11-1.el5_1.1.ia64.rpm d907980b8e1784a40f0951e580ed676f PPC: postgresql-8.1.11-1.el5_1.1.ppc.rpm acd4dc842d762e8ac34ee7677918422c postgresql-contrib-8.1.11-1.el5_1.1.ppc.rpm 06f68ab6f3a3a2fab9b0a6445fbd268c postgresql-devel-8.1.11-1.el5_1.1.ppc.rpm 52b81a454f6e577783d83f7c8c805919 postgresql-devel-8.1.11-1.el5_1.1.ppc64.rpm 01b88742302b4efec7611b65eeb0dec2 postgresql-docs-8.1.11-1.el5_1.1.ppc.rpm 13b5c9d285fb05b11ad23994f3402df1 postgresql-libs-8.1.11-1.el5_1.1.ppc.rpm 46b2d5cc4a44070449bd65fe6f078909 postgresql-libs-8.1.11-1.el5_1.1.ppc64.rpm c15fec8996ef3762317a24a274a71306 postgresql-pl-8.1.11-1.el5_1.1.ppc.rpm 4a280a25741d2a78209b150b3781a9b4 postgresql-python-8.1.11-1.el5_1.1.ppc.rpm e4735d70460e23e63a6361a25a3d930f postgresql-server-8.1.11-1.el5_1.1.ppc.rpm 9c4d3cbdc1c0ed0e51be07538f1fbd60 postgresql-tcl-8.1.11-1.el5_1.1.ppc.rpm cc59524503f64d4a6d60cae7dcaa567e postgresql-test-8.1.11-1.el5_1.1.ppc.rpm d831b2ee0d9018d397a86b6617f7cb48 s390x: postgresql-8.1.11-1.el5_1.1.s390x.rpm 983e0cc7bf8c7a6081bd3f485b9518d3 postgresql-contrib-8.1.11-1.el5_1.1.s390x.rpm 972e58113847e6cb1417a62bffbc044d postgresql-devel-8.1.11-1.el5_1.1.s390.rpm c362e0a966d50fccaec72eaea6fd4612 postgresql-devel-8.1.11-1.el5_1.1.s390x.rpm ffaa640c459c1479d172362bbb16a44f postgresql-docs-8.1.11-1.el5_1.1.s390x.rpm ebe95adffa2febc15b9718efb7d6bfaa postgresql-libs-8.1.11-1.el5_1.1.s390.rpm 1a1a31a52dd3cfd2d1f1695c404a5dfc postgresql-libs-8.1.11-1.el5_1.1.s390x.rpm 59f5bf3c2556ce50cb445827f63c8a2d postgresql-pl-8.1.11-1.el5_1.1.s390x.rpm 1b77d80b1f2c3a3ffc523133b701a520 postgresql-python-8.1.11-1.el5_1.1.s390x.rpm b5b7068da3bb700c6e402a63bf71963d postgresql-server-8.1.11-1.el5_1.1.s390x.rpm 2529d6cbc13cd1976a2e73ccf55b1054 postgresql-tcl-8.1.11-1.el5_1.1.s390x.rpm 3e4731312ed4248b771eb31559491e56 postgresql-test-8.1.11-1.el5_1.1.s390x.rpm 172b90360c2de1e756740726b26dafcb x86_64: postgresql-8.1.11-1.el5_1.1.x86_64.rpm fe6ad92b749c3dc4ae8bb119cda38e73 postgresql-contrib-8.1.11-1.el5_1.1.x86_64.rpm 0751092dcf84dcd67d5d3e9cc029b5bd postgresql-devel-8.1.11-1.el5_1.1.i386.rpm 9f5e16d9e2d4aaf2abdbf69c6aac5c37 postgresql-devel-8.1.11-1.el5_1.1.x86_64.rpm 1d89d3f92dd9bbaa039f4a93d3bdc6de postgresql-docs-8.1.11-1.el5_1.1.x86_64.rpm 4cfe52f4de0e1f276d1c4eef51d407dc postgresql-libs-8.1.11-1.el5_1.1.i386.rpm 396e9512c057a47c5877e79b8752f714 postgresql-libs-8.1.11-1.el5_1.1.x86_64.rpm 549ce0273c53aa19398c166761eef56e postgresql-pl-8.1.11-1.el5_1.1.x86_64.rpm ad102dbe8f50bf8da3a82596d9a8a82c postgresql-python-8.1.11-1.el5_1.1.x86_64.rpm 156e3a7811a5bf42194116401e330494 postgresql-server-8.1.11-1.el5_1.1.x86_64.rpm 84ca45f7082f4efa73cb3913eea808cd postgresql-tcl-8.1.11-1.el5_1.1.x86_64.rpm 8b47701da9b73b31a7171355f3bb0a30 postgresql-test-8.1.11-1.el5_1.1.x86_64.rpm 859cb07ae1488245e16f9709703cbdc9 Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: postgresql-7.4.19-1.el4_6.1.src.rpm 67a3b7c3801d0375ecba2c8a02637824 IA-32: postgresql-7.4.19-1.el4_6.1.i386.rpm 62559ac39a562a55b682fe902812756e postgresql-contrib-7.4.19-1.el4_6.1.i386.rpm 532c45ca232d8b30e23dc48cea31e23f postgresql-devel-7.4.19-1.el4_6.1.i386.rpm de0a08685f3c1c24ea463abb39187559 postgresql-docs-7.4.19-1.el4_6.1.i386.rpm c038d53938a6675e454f5e2125c14867 postgresql-jdbc-7.4.19-1.el4_6.1.i386.rpm 665e417d378c2c4613725d9bc57d325b postgresql-libs-7.4.19-1.el4_6.1.i386.rpm d39717ebc2946b1d198ea587fff2cf44 postgresql-pl-7.4.19-1.el4_6.1.i386.rpm d7f4e1d55451e95b6f1ee0f3e4dc15fc postgresql-python-7.4.19-1.el4_6.1.i386.rpm 0fdfc971966aa258f5f4f60d4c03a0b7 postgresql-server-7.4.19-1.el4_6.1.i386.rpm 1268c6338420fdb0a278377ac00b3b3a postgresql-tcl-7.4.19-1.el4_6.1.i386.rpm 136983a23016e1de06fb86b093e6a372 postgresql-test-7.4.19-1.el4_6.1.i386.rpm af42af3663f6ac77f024d85732bd0627 IA-64: postgresql-7.4.19-1.el4_6.1.ia64.rpm 88b34c6cdac99a4c3da5fd4c35ce3fc6 postgresql-contrib-7.4.19-1.el4_6.1.ia64.rpm bfd11037ff4657c701b21e73f496806d postgresql-devel-7.4.19-1.el4_6.1.ia64.rpm 13052c7abb0958151417a0c56e834de4 postgresql-docs-7.4.19-1.el4_6.1.ia64.rpm b5336086680e46387208c253c64d1b7f postgresql-jdbc-7.4.19-1.el4_6.1.ia64.rpm 2de3a094be02b82ebb170ded95527e0f postgresql-libs-7.4.19-1.el4_6.1.i386.rpm d39717ebc2946b1d198ea587fff2cf44 postgresql-libs-7.4.19-1.el4_6.1.ia64.rpm af4d6d9987c640398e40c61ba1a13843 postgresql-pl-7.4.19-1.el4_6.1.ia64.rpm e72458000bbcc6dc209078c027aaf502 postgresql-python-7.4.19-1.el4_6.1.ia64.rpm 0ccd43e6b377ca718727a63de9623f1d postgresql-server-7.4.19-1.el4_6.1.ia64.rpm 3487f765af5cbe0fe59aede983ae3cd2 postgresql-tcl-7.4.19-1.el4_6.1.ia64.rpm 7ae7d98622fa57264792857f06f10d73 postgresql-test-7.4.19-1.el4_6.1.ia64.rpm 6b668a129545c12ca5d9bbc26f11afd5 PPC: postgresql-7.4.19-1.el4_6.1.ppc.rpm d5e4dd49d2a3f4b73760c2e067453d09 postgresql-contrib-7.4.19-1.el4_6.1.ppc.rpm 9dbb1a84f2ab73a7f7aea8857b0e0337 postgresql-devel-7.4.19-1.el4_6.1.ppc.rpm 22c7625faedccc251f8b9bead18feb9e postgresql-docs-7.4.19-1.el4_6.1.ppc.rpm a769b42918710f3a92ee5d21badcbe50 postgresql-jdbc-7.4.19-1.el4_6.1.ppc.rpm 24eb10eaaa61c7bd64de75dcbdfa210f postgresql-libs-7.4.19-1.el4_6.1.ppc.rpm e2d4e65ea947d8f77c18498c41dc7379 postgresql-libs-7.4.19-1.el4_6.1.ppc64.rpm 87dc93fc32fb2f7e5ec8ec49694c21fa postgresql-pl-7.4.19-1.el4_6.1.ppc.rpm b0ca90b2bada323b2fe061de433add34 postgresql-python-7.4.19-1.el4_6.1.ppc.rpm e76197ad86d9e8a702f735870d27e70f postgresql-server-7.4.19-1.el4_6.1.ppc.rpm d32d30de204d463a6d8eb96398c8935a postgresql-tcl-7.4.19-1.el4_6.1.ppc.rpm 88393fcd4772f8de9741722da51ba17d postgresql-test-7.4.19-1.el4_6.1.ppc.rpm 84559e34fcfb6aeee9e3450b315d1e25 s390: postgresql-7.4.19-1.el4_6.1.s390.rpm 4843fe62d4cd5b11ad9dd1a4d98928da postgresql-contrib-7.4.19-1.el4_6.1.s390.rpm e37365484912c3ada2009f0cc9fef0dd postgresql-devel-7.4.19-1.el4_6.1.s390.rpm b4f6b505469a7600c904bc1da8d08f4f postgresql-docs-7.4.19-1.el4_6.1.s390.rpm 5a3a98c53bd4c83134c7050a943bdb13 postgresql-jdbc-7.4.19-1.el4_6.1.s390.rpm 1f379a5fd8e4b7f3fec1fc8835831742 postgresql-libs-7.4.19-1.el4_6.1.s390.rpm 559099277c8f87a7ef8a511abc7ba55e postgresql-pl-7.4.19-1.el4_6.1.s390.rpm 9592bf14ed8abb2a38c056f8180d5937 postgresql-python-7.4.19-1.el4_6.1.s390.rpm e5370bec9ae7a6d85556e3a2de3693e3 postgresql-server-7.4.19-1.el4_6.1.s390.rpm 7c8cd69e2c0060d983c3522eb80010fd postgresql-tcl-7.4.19-1.el4_6.1.s390.rpm d9271ae4328c9f26f8ea74c1b30847ab postgresql-test-7.4.19-1.el4_6.1.s390.rpm d837992bfa4006bbc69a3b666bb82fca s390x: postgresql-7.4.19-1.el4_6.1.s390x.rpm 7808ab5555c7dba1565838a40648cb84 postgresql-contrib-7.4.19-1.el4_6.1.s390x.rpm 89b4f4c23dd804b263d865956b8aa80f postgresql-devel-7.4.19-1.el4_6.1.s390x.rpm eca05dfac3ad11830e149a4c8fb34754 postgresql-docs-7.4.19-1.el4_6.1.s390x.rpm e5574f23a25162f65b2ab742932b262b postgresql-jdbc-7.4.19-1.el4_6.1.s390x.rpm e113286f23062799d2596ea896015072 postgresql-libs-7.4.19-1.el4_6.1.s390.rpm 559099277c8f87a7ef8a511abc7ba55e postgresql-libs-7.4.19-1.el4_6.1.s390x.rpm a8544c791e86dec845fdeb017f9a8024 postgresql-pl-7.4.19-1.el4_6.1.s390x.rpm 46ae5297c98faf8f8ed8b4b91b46a167 postgresql-python-7.4.19-1.el4_6.1.s390x.rpm 197fce3047db1f4c7955b6ab70abfdf8 postgresql-server-7.4.19-1.el4_6.1.s390x.rpm 07af64f8aaa8d1b4f5be3fd2246a3f5d postgresql-tcl-7.4.19-1.el4_6.1.s390x.rpm 5da89299655a02fb06b9d7f74d594654 postgresql-test-7.4.19-1.el4_6.1.s390x.rpm 5581a971e17c4a907be1fcb2abae03e3 x86_64: postgresql-7.4.19-1.el4_6.1.x86_64.rpm 965b4e6d272bab2537a56a16e3b055c6 postgresql-contrib-7.4.19-1.el4_6.1.x86_64.rpm 8fdb2e855700cd3bcc93a3d9e666834d postgresql-devel-7.4.19-1.el4_6.1.x86_64.rpm 777a81bba53a63fc3a232c50ecf363c4 postgresql-docs-7.4.19-1.el4_6.1.x86_64.rpm 30ac8beac4c9bc4a4071ec566d5760ad postgresql-jdbc-7.4.19-1.el4_6.1.x86_64.rpm bb438646d3e84a3f8fe207f934bcd1a7 postgresql-libs-7.4.19-1.el4_6.1.i386.rpm d39717ebc2946b1d198ea587fff2cf44 postgresql-libs-7.4.19-1.el4_6.1.x86_64.rpm 02b0ce9e55856a12566d36ae0858725d postgresql-pl-7.4.19-1.el4_6.1.x86_64.rpm a745aa7617931cdb22594c88b6de6116 postgresql-python-7.4.19-1.el4_6.1.x86_64.rpm 8fd9be23a7b1b2aece7b007c2e86d107 postgresql-server-7.4.19-1.el4_6.1.x86_64.rpm ae2f4eec6a308026dad00198d8a4f1eb postgresql-tcl-7.4.19-1.el4_6.1.x86_64.rpm d423ae74537e582a5bb34fdbc6474162 postgresql-test-7.4.19-1.el4_6.1.x86_64.rpm 348bba254291c84773482e91d5c658ed Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: postgresql-8.1.11-1.el5_1.1.src.rpm 5eae5d61da4e8fef27eb9fd3a80d7982 IA-32: postgresql-8.1.11-1.el5_1.1.i386.rpm a00ec675e2fb394b2ac29b43a8a5e0a4 postgresql-contrib-8.1.11-1.el5_1.1.i386.rpm f344ce9a4564180f687d1cdb700e3ea9 postgresql-docs-8.1.11-1.el5_1.1.i386.rpm a5ff1c16023bac31164f9f2786d283b4 postgresql-libs-8.1.11-1.el5_1.1.i386.rpm 396e9512c057a47c5877e79b8752f714 postgresql-python-8.1.11-1.el5_1.1.i386.rpm 9ad0e5e0421c47e464eac737c4258521 postgresql-tcl-8.1.11-1.el5_1.1.i386.rpm 8b753018f05a4b35e224ef75fe2bf99d x86_64: postgresql-8.1.11-1.el5_1.1.x86_64.rpm fe6ad92b749c3dc4ae8bb119cda38e73 postgresql-contrib-8.1.11-1.el5_1.1.x86_64.rpm 0751092dcf84dcd67d5d3e9cc029b5bd postgresql-docs-8.1.11-1.el5_1.1.x86_64.rpm 4cfe52f4de0e1f276d1c4eef51d407dc postgresql-libs-8.1.11-1.el5_1.1.i386.rpm 396e9512c057a47c5877e79b8752f714 postgresql-libs-8.1.11-1.el5_1.1.x86_64.rpm 549ce0273c53aa19398c166761eef56e postgresql-python-8.1.11-1.el5_1.1.x86_64.rpm 156e3a7811a5bf42194116401e330494 postgresql-tcl-8.1.11-1.el5_1.1.x86_64.rpm 8b47701da9b73b31a7171355f3bb0a30 Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: postgresql-7.4.19-1.el4_6.1.src.rpm 67a3b7c3801d0375ecba2c8a02637824 IA-32: postgresql-7.4.19-1.el4_6.1.i386.rpm 62559ac39a562a55b682fe902812756e postgresql-contrib-7.4.19-1.el4_6.1.i386.rpm 532c45ca232d8b30e23dc48cea31e23f postgresql-devel-7.4.19-1.el4_6.1.i386.rpm de0a08685f3c1c24ea463abb39187559 postgresql-docs-7.4.19-1.el4_6.1.i386.rpm c038d53938a6675e454f5e2125c14867 postgresql-jdbc-7.4.19-1.el4_6.1.i386.rpm 665e417d378c2c4613725d9bc57d325b postgresql-libs-7.4.19-1.el4_6.1.i386.rpm d39717ebc2946b1d198ea587fff2cf44 postgresql-pl-7.4.19-1.el4_6.1.i386.rpm d7f4e1d55451e95b6f1ee0f3e4dc15fc postgresql-python-7.4.19-1.el4_6.1.i386.rpm 0fdfc971966aa258f5f4f60d4c03a0b7 postgresql-server-7.4.19-1.el4_6.1.i386.rpm 1268c6338420fdb0a278377ac00b3b3a postgresql-tcl-7.4.19-1.el4_6.1.i386.rpm 136983a23016e1de06fb86b093e6a372 postgresql-test-7.4.19-1.el4_6.1.i386.rpm af42af3663f6ac77f024d85732bd0627 IA-64: postgresql-7.4.19-1.el4_6.1.ia64.rpm 88b34c6cdac99a4c3da5fd4c35ce3fc6 postgresql-contrib-7.4.19-1.el4_6.1.ia64.rpm bfd11037ff4657c701b21e73f496806d postgresql-devel-7.4.19-1.el4_6.1.ia64.rpm 13052c7abb0958151417a0c56e834de4 postgresql-docs-7.4.19-1.el4_6.1.ia64.rpm b5336086680e46387208c253c64d1b7f postgresql-jdbc-7.4.19-1.el4_6.1.ia64.rpm 2de3a094be02b82ebb170ded95527e0f postgresql-libs-7.4.19-1.el4_6.1.i386.rpm d39717ebc2946b1d198ea587fff2cf44 postgresql-libs-7.4.19-1.el4_6.1.ia64.rpm af4d6d9987c640398e40c61ba1a13843 postgresql-pl-7.4.19-1.el4_6.1.ia64.rpm e72458000bbcc6dc209078c027aaf502 postgresql-python-7.4.19-1.el4_6.1.ia64.rpm 0ccd43e6b377ca718727a63de9623f1d postgresql-server-7.4.19-1.el4_6.1.ia64.rpm 3487f765af5cbe0fe59aede983ae3cd2 postgresql-tcl-7.4.19-1.el4_6.1.ia64.rpm 7ae7d98622fa57264792857f06f10d73 postgresql-test-7.4.19-1.el4_6.1.ia64.rpm 6b668a129545c12ca5d9bbc26f11afd5 x86_64: postgresql-7.4.19-1.el4_6.1.x86_64.rpm 965b4e6d272bab2537a56a16e3b055c6 postgresql-contrib-7.4.19-1.el4_6.1.x86_64.rpm 8fdb2e855700cd3bcc93a3d9e666834d postgresql-devel-7.4.19-1.el4_6.1.x86_64.rpm 777a81bba53a63fc3a232c50ecf363c4 postgresql-docs-7.4.19-1.el4_6.1.x86_64.rpm 30ac8beac4c9bc4a4071ec566d5760ad postgresql-jdbc-7.4.19-1.el4_6.1.x86_64.rpm bb438646d3e84a3f8fe207f934bcd1a7 postgresql-libs-7.4.19-1.el4_6.1.i386.rpm d39717ebc2946b1d198ea587fff2cf44 postgresql-libs-7.4.19-1.el4_6.1.x86_64.rpm 02b0ce9e55856a12566d36ae0858725d postgresql-pl-7.4.19-1.el4_6.1.x86_64.rpm a745aa7617931cdb22594c88b6de6116 postgresql-python-7.4.19-1.el4_6.1.x86_64.rpm 8fd9be23a7b1b2aece7b007c2e86d107 postgresql-server-7.4.19-1.el4_6.1.x86_64.rpm ae2f4eec6a308026dad00198d8a4f1eb postgresql-tcl-7.4.19-1.el4_6.1.x86_64.rpm d423ae74537e582a5bb34fdbc6474162 postgresql-test-7.4.19-1.el4_6.1.x86_64.rpm 348bba254291c84773482e91d5c658ed Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: postgresql-7.4.19-1.el4_6.1.src.rpm 67a3b7c3801d0375ecba2c8a02637824 IA-32: postgresql-7.4.19-1.el4_6.1.i386.rpm 62559ac39a562a55b682fe902812756e postgresql-contrib-7.4.19-1.el4_6.1.i386.rpm 532c45ca232d8b30e23dc48cea31e23f postgresql-devel-7.4.19-1.el4_6.1.i386.rpm de0a08685f3c1c24ea463abb39187559 postgresql-docs-7.4.19-1.el4_6.1.i386.rpm c038d53938a6675e454f5e2125c14867 postgresql-jdbc-7.4.19-1.el4_6.1.i386.rpm 665e417d378c2c4613725d9bc57d325b postgresql-libs-7.4.19-1.el4_6.1.i386.rpm d39717ebc2946b1d198ea587fff2cf44 postgresql-pl-7.4.19-1.el4_6.1.i386.rpm d7f4e1d55451e95b6f1ee0f3e4dc15fc postgresql-python-7.4.19-1.el4_6.1.i386.rpm 0fdfc971966aa258f5f4f60d4c03a0b7 postgresql-server-7.4.19-1.el4_6.1.i386.rpm 1268c6338420fdb0a278377ac00b3b3a postgresql-tcl-7.4.19-1.el4_6.1.i386.rpm 136983a23016e1de06fb86b093e6a372 postgresql-test-7.4.19-1.el4_6.1.i386.rpm af42af3663f6ac77f024d85732bd0627 IA-64: postgresql-7.4.19-1.el4_6.1.ia64.rpm 88b34c6cdac99a4c3da5fd4c35ce3fc6 postgresql-contrib-7.4.19-1.el4_6.1.ia64.rpm bfd11037ff4657c701b21e73f496806d postgresql-devel-7.4.19-1.el4_6.1.ia64.rpm 13052c7abb0958151417a0c56e834de4 postgresql-docs-7.4.19-1.el4_6.1.ia64.rpm b5336086680e46387208c253c64d1b7f postgresql-jdbc-7.4.19-1.el4_6.1.ia64.rpm 2de3a094be02b82ebb170ded95527e0f postgresql-libs-7.4.19-1.el4_6.1.i386.rpm d39717ebc2946b1d198ea587fff2cf44 postgresql-libs-7.4.19-1.el4_6.1.ia64.rpm af4d6d9987c640398e40c61ba1a13843 postgresql-pl-7.4.19-1.el4_6.1.ia64.rpm e72458000bbcc6dc209078c027aaf502 postgresql-python-7.4.19-1.el4_6.1.ia64.rpm 0ccd43e6b377ca718727a63de9623f1d postgresql-server-7.4.19-1.el4_6.1.ia64.rpm 3487f765af5cbe0fe59aede983ae3cd2 postgresql-tcl-7.4.19-1.el4_6.1.ia64.rpm 7ae7d98622fa57264792857f06f10d73 postgresql-test-7.4.19-1.el4_6.1.ia64.rpm 6b668a129545c12ca5d9bbc26f11afd5 x86_64: postgresql-7.4.19-1.el4_6.1.x86_64.rpm 965b4e6d272bab2537a56a16e3b055c6 postgresql-contrib-7.4.19-1.el4_6.1.x86_64.rpm 8fdb2e855700cd3bcc93a3d9e666834d postgresql-devel-7.4.19-1.el4_6.1.x86_64.rpm 777a81bba53a63fc3a232c50ecf363c4 postgresql-docs-7.4.19-1.el4_6.1.x86_64.rpm 30ac8beac4c9bc4a4071ec566d5760ad postgresql-jdbc-7.4.19-1.el4_6.1.x86_64.rpm bb438646d3e84a3f8fe207f934bcd1a7 postgresql-libs-7.4.19-1.el4_6.1.i386.rpm d39717ebc2946b1d198ea587fff2cf44 postgresql-libs-7.4.19-1.el4_6.1.x86_64.rpm 02b0ce9e55856a12566d36ae0858725d postgresql-pl-7.4.19-1.el4_6.1.x86_64.rpm a745aa7617931cdb22594c88b6de6116 postgresql-python-7.4.19-1.el4_6.1.x86_64.rpm 8fd9be23a7b1b2aece7b007c2e86d107 postgresql-server-7.4.19-1.el4_6.1.x86_64.rpm ae2f4eec6a308026dad00198d8a4f1eb postgresql-tcl-7.4.19-1.el4_6.1.x86_64.rpm d423ae74537e582a5bb34fdbc6474162 postgresql-test-7.4.19-1.el4_6.1.x86_64.rpm 348bba254291c84773482e91d5c658ed (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 309141 - CVE-2007-3278 dblink allows proxying of database connections via 127.0.0.1 315231 - CVE-2007-4769 postgresql integer overflow in regex code 316511 - CVE-2007-4772 postgresql DoS via infinite loop in regex NFA optimization code 400931 - CVE-2007-6067 postgresql: tempory DoS caused by slow regex NFA cleanup 427127 - CVE-2007-6600 PostgreSQL privilege escalation 427128 - CVE-2007-6601 PostgreSQL privilege escalation via dblink References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3278 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4769 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6067 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6601 http://www.redhat.com/security/updates/classification/#moderate -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2008:0038-7 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-098: HP-UX Running rpc.yppasswdd Vulnerability S-099: PeerCast Vulnerability S-100: GNU Tar Vulnerabilities S-101: Flash Authoring Tool Vulnerability S-102: TYPO3 Vulnerabilities S-103: Wireshark Vulnerabilities S-104: libsndfile Vulnerability S-105: Vulnerabilitiesin Windows TCP/IP S-106: Vulnerability in LSASS S-107: HP Software Update Running on WIndows