SciLinux: CVE-2009-0922 Moderate: postgresql SL3.x, SL4.x,

Date:         Thu, 8 Oct 2009 14:35:16 -0500
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA Moderate: postgresql on SL3.x, SL4.x,
              SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Moderate: postgresql security update
Issue date:	2009-10-07
CVE Names:	CVE-2009-0922 CVE-2009-3230

CVE-2009-0922 postgresql: potential DoS due to conversion functions
CVE-2009-3230 postgresql: SQL privilege escalation, incomplete fix for 
CVE-2007-6600

It was discovered that the upstream patch for CVE-2007-6600 included in 
the Scientific Linux did not include protection against misuse of the 
RESET ROLE and RESET SESSION AUTHORIZATION commands. An authenticated 
user could use this flaw to install malicious code that would later 
execute with superuser privileges. (CVE-2009-3230)

A flaw was found in the way PostgreSQL handled encoding conversion. A
remote, authenticated user could trigger an encoding conversion failure,
possibly leading to a temporary denial of service. Note: To exploit this
issue, a locale and client encoding for which specific messages fail to
translate must be selected (the availability of these is determined by 
an administrator-defined locale setting). (CVE-2009-0922)

Note: For Scientific Linux 4, this update upgrades PostgreSQL to version 
7.4.26. For Scientific Linux 5, this update upgrades PostgreSQL to 
version 8.1.18. Refer to the PostgreSQL Release Notes for a list of changes:

https://www.postgresql.org/docs/7.4/release.html
https://www.postgresql.org/docs/8.1/release.html

If the postgresql service is running, it will be automatically restarted 
after installing this update.

SL 3.0.x

       SRPMS:
rh-postgresql-7.3.21-2.src.rpm
       i386:
rh-postgresql-7.3.21-2.i386.rpm
rh-postgresql-contrib-7.3.21-2.i386.rpm
rh-postgresql-devel-7.3.21-2.i386.rpm
rh-postgresql-docs-7.3.21-2.i386.rpm
rh-postgresql-jdbc-7.3.21-2.i386.rpm
rh-postgresql-libs-7.3.21-2.i386.rpm
rh-postgresql-pl-7.3.21-2.i386.rpm
rh-postgresql-python-7.3.21-2.i386.rpm
rh-postgresql-server-7.3.21-2.i386.rpm
rh-postgresql-tcl-7.3.21-2.i386.rpm
rh-postgresql-test-7.3.21-2.i386.rpm
       x86_64:
rh-postgresql-7.3.21-2.x86_64.rpm
rh-postgresql-contrib-7.3.21-2.x86_64.rpm
rh-postgresql-devel-7.3.21-2.x86_64.rpm
rh-postgresql-docs-7.3.21-2.x86_64.rpm
rh-postgresql-jdbc-7.3.21-2.x86_64.rpm
rh-postgresql-libs-7.3.21-2.i386.rpm
rh-postgresql-libs-7.3.21-2.x86_64.rpm
rh-postgresql-pl-7.3.21-2.x86_64.rpm
rh-postgresql-python-7.3.21-2.x86_64.rpm
rh-postgresql-server-7.3.21-2.x86_64.rpm
rh-postgresql-tcl-7.3.21-2.x86_64.rpm
rh-postgresql-test-7.3.21-2.x86_64.rpm

SL 4.x

       SRPMS:
postgresql-7.4.26-1.el4_8.1.src.rpm
       i386:
postgresql-7.4.26-1.el4_8.1.i386.rpm
postgresql-contrib-7.4.26-1.el4_8.1.i386.rpm
postgresql-devel-7.4.26-1.el4_8.1.i386.rpm
postgresql-docs-7.4.26-1.el4_8.1.i386.rpm
postgresql-jdbc-7.4.26-1.el4_8.1.i386.rpm
postgresql-libs-7.4.26-1.el4_8.1.i386.rpm
postgresql-pl-7.4.26-1.el4_8.1.i386.rpm
postgresql-python-7.4.26-1.el4_8.1.i386.rpm
postgresql-server-7.4.26-1.el4_8.1.i386.rpm
postgresql-tcl-7.4.26-1.el4_8.1.i386.rpm
postgresql-test-7.4.26-1.el4_8.1.i386.rpm
       x86_64:
postgresql-7.4.26-1.el4_8.1.x86_64.rpm
postgresql-contrib-7.4.26-1.el4_8.1.x86_64.rpm
postgresql-devel-7.4.26-1.el4_8.1.x86_64.rpm
postgresql-docs-7.4.26-1.el4_8.1.x86_64.rpm
postgresql-jdbc-7.4.26-1.el4_8.1.x86_64.rpm
postgresql-libs-7.4.26-1.el4_8.1.i386.rpm
postgresql-libs-7.4.26-1.el4_8.1.x86_64.rpm
postgresql-pl-7.4.26-1.el4_8.1.x86_64.rpm
postgresql-python-7.4.26-1.el4_8.1.x86_64.rpm
postgresql-server-7.4.26-1.el4_8.1.x86_64.rpm
postgresql-tcl-7.4.26-1.el4_8.1.x86_64.rpm
postgresql-test-7.4.26-1.el4_8.1.x86_64.rpm

SL 5.x

       SRPMS:
postgresql-8.1.18-2.el5_4.1.src.rpm
       i386:
postgresql-8.1.18-2.el5_4.1.i386.rpm
postgresql-contrib-8.1.18-2.el5_4.1.i386.rpm
postgresql-devel-8.1.18-2.el5_4.1.i386.rpm
postgresql-docs-8.1.18-2.el5_4.1.i386.rpm
postgresql-libs-8.1.18-2.el5_4.1.i386.rpm
postgresql-pl-8.1.18-2.el5_4.1.i386.rpm
postgresql-python-8.1.18-2.el5_4.1.i386.rpm
postgresql-server-8.1.18-2.el5_4.1.i386.rpm
postgresql-tcl-8.1.18-2.el5_4.1.i386.rpm
postgresql-test-8.1.18-2.el5_4.1.i386.rpm
       x86_64:
postgresql-8.1.18-2.el5_4.1.x86_64.rpm
postgresql-contrib-8.1.18-2.el5_4.1.x86_64.rpm
postgresql-devel-8.1.18-2.el5_4.1.i386.rpm
postgresql-devel-8.1.18-2.el5_4.1.x86_64.rpm
postgresql-docs-8.1.18-2.el5_4.1.x86_64.rpm
postgresql-libs-8.1.18-2.el5_4.1.i386.rpm
postgresql-libs-8.1.18-2.el5_4.1.x86_64.rpm
postgresql-pl-8.1.18-2.el5_4.1.x86_64.rpm
postgresql-python-8.1.18-2.el5_4.1.x86_64.rpm
postgresql-server-8.1.18-2.el5_4.1.x86_64.rpm
postgresql-tcl-8.1.18-2.el5_4.1.x86_64.rpm
postgresql-test-8.1.18-2.el5_4.1.x86_64.rpm

-Connie Sieh
-Troy Dawson

Date: Thu, 8 Oct 2009 14:35:16 -0500Reply-To: Troy Dawson Sender: Security Errata for Scientific Linux From: Troy Dawson Subject: Security ERRATA Moderate: postgresql on SL3.x, SL4.x, SL5.x i386/x86_64Comments: To: "scientific-linux-errata@fnal.gov" Synopsis: Moderate: postgresql security updateIssue date: 2009-10-07CVE Names: CVE-2009-0922 CVE-2009-3230CVE-2009-0922 postgresql: potential DoS due to conversion functionsCVE-2009-3230 postgresql: SQL privilege escalation, incomplete fix for CVE-2007-6600It was discovered that the upstream patch for CVE-2007-6600 included in the Scientific Linux did not include protection against misuse of the RESET ROLE and RESET SESSION AUTHORIZATION commands. An authenticated user could use this flaw to install malicious code that would later execute with superuser privileges. (CVE-2009-3230)A flaw was found in the way PostgreSQL handled encoding conversion. Aremote, authenticated user could trigger an encoding conversion failure,possibly leading to a temporary denial of service. Note: To exploit thisissue, a locale and client encoding for which specific messages fail totranslate must be selected (the availability of these is determined by an administrator-defined locale setting). (CVE-2009-0922)Note: For Scientific Linux 4, this update upgrades PostgreSQL to version 7.4.26. For Scientific Linux 5, this update upgrades PostgreSQL to version 8.1.18. Refer to the PostgreSQL Release Notes for a list of changes:https://www.postgresql.org/docs/7.4/release.htmlhttps://www.postgresql.org/docs/8.1/release.htmlIf the postgresql service is running, it will be automatically restarted after installing this update.SL 3.0.x SRPMS:rh-postgresql-7.3.21-2.src.rpm i386:rh-postgresql-7.3.21-2.i386.rpmrh-postgresql-contrib-7.3.21-2.i386.rpmrh-postgresql-devel-7.3.21-2.i386.rpmrh-postgresql-docs-7.3.21-2.i386.rpmrh-postgresql-jdbc-7.3.21-2.i386.rpmrh-postgresql-libs-7.3.21-2.i386.rpmrh-postgresql-pl-7.3.21-2.i386.rpmrh-postgresql-python-7.3.21-2.i386.rpmrh-postgresql-server-7.3.21-2.i386.rpmrh-postgresql-tcl-7.3.21-2.i386.rpmrh-postgresql-test-7.3.21-2.i386.rpm x86_64:rh-postgresql-7.3.21-2.x86_64.rpmrh-postgresql-contrib-7.3.21-2.x86_64.rpmrh-postgresql-devel-7.3.21-2.x86_64.rpmrh-postgresql-docs-7.3.21-2.x86_64.rpmrh-postgresql-jdbc-7.3.21-2.x86_64.rpmrh-postgresql-libs-7.3.21-2.i386.rpmrh-postgresql-libs-7.3.21-2.x86_64.rpmrh-postgresql-pl-7.3.21-2.x86_64.rpmrh-postgresql-python-7.3.21-2.x86_64.rpmrh-postgresql-server-7.3.21-2.x86_64.rpmrh-postgresql-tcl-7.3.21-2.x86_64.rpmrh-postgresql-test-7.3.21-2.x86_64.rpmSL 4.x SRPMS:postgresql-7.4.26-1.el4_8.1.src.rpm i386:postgresql-7.4.26-1.el4_8.1.i386.rpmpostgresql-contrib-7.4.26-1.el4_8.1.i386.rpmpostgresql-devel-7.4.26-1.el4_8.1.i386.rpmpostgresql-docs-7.4.26-1.el4_8.1.i386.rpmpostgresql-jdbc-7.4.26-1.el4_8.1.i386.rpmpostgresql-libs-7.4.26-1.el4_8.1.i386.rpmpostgresql-pl-7.4.26-1.el4_8.1.i386.rpmpostgresql-python-7.4.26-1.el4_8.1.i386.rpmpostgresql-server-7.4.26-1.el4_8.1.i386.rpmpostgresql-tcl-7.4.26-1.el4_8.1.i386.rpmpostgresql-test-7.4.26-1.el4_8.1.i386.rpm x86_64:postgresql-7.4.26-1.el4_8.1.x86_64.rpmpostgresql-contrib-7.4.26-1.el4_8.1.x86_64.rpmpostgresql-devel-7.4.26-1.el4_8.1.x86_64.rpmpostgresql-docs-7.4.26-1.el4_8.1.x86_64.rpmpostgresql-jdbc-7.4.26-1.el4_8.1.x86_64.rpmpostgresql-libs-7.4.26-1.el4_8.1.i386.rpmpostgresql-libs-7.4.26-1.el4_8.1.x86_64.rpmpostgresql-pl-7.4.26-1.el4_8.1.x86_64.rpmpostgresql-python-7.4.26-1.el4_8.1.x86_64.rpmpostgresql-server-7.4.26-1.el4_8.1.x86_64.rpmpostgresql-tcl-7.4.26-1.el4_8.1.x86_64.rpmpostgresql-test-7.4.26-1.el4_8.1.x86_64.rpmSL 5.x SRPMS:postgresql-8.1.18-2.el5_4.1.src.rpm i386:postgresql-8.1.18-2.el5_4.1.i386.rpmpostgresql-contrib-8.1.18-2.el5_4.1.i386.rpmpostgresql-devel-8.1.18-2.el5_4.1.i386.rpmpostgresql-docs-8.1.18-2.el5_4.1.i386.rpmpostgresql-libs-8.1.18-2.el5_4.1.i386.rpmpostgresql-pl-8.1.18-2.el5_4.1.i386.rpmpostgresql-python-8.1.18-2.el5_4.1.i386.rpmpostgresql-server-8.1.18-2.el5_4.1.i386.rpmpostgresql-tcl-8.1.18-2.el5_4.1.i386.rpmpostgresql-test-8.1.18-2.el5_4.1.i386.rpm x86_64:postgresql-8.1.18-2.el5_4.1.x86_64.rpmpostgresql-contrib-8.1.18-2.el5_4.1.x86_64.rpmpostgresql-devel-8.1.18-2.el5_4.1.i386.rpmpostgresql-devel-8.1.18-2.el5_4.1.x86_64.rpmpostgresql-docs-8.1.18-2.el5_4.1.x86_64.rpmpostgresql-libs-8.1.18-2.el5_4.1.i386.rpmpostgresql-libs-8.1.18-2.el5_4.1.x86_64.rpmpostgresql-pl-8.1.18-2.el5_4.1.x86_64.rpmpostgresql-python-8.1.18-2.el5_4.1.x86_64.rpmpostgresql-server-8.1.18-2.el5_4.1.x86_64.rpmpostgresql-tcl-8.1.18-2.el5_4.1.x86_64.rpmpostgresql-test-8.1.18-2.el5_4.1.x86_64.rpm-Connie Sieh-Troy Dawson

SciLinux: CVE-2009-0922 Moderate: postgresql SL3.x, SL4.x,

Summary

Security Fixes

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By