Yellow Dog Security Advisory: YDU-20030127-5
yellowdog-updates@lists.terrasoftsolutions.com
yellowdog-updates@lists.terrasoftsolutions.com
Mon, 27 Jan 2003 01:24:16 -0700 (MST)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: postgresql
Issue Date: January 27, 2003
Priority: medium
Advisory ID: YDU-20030127-5
1. Topic:
Updated postgresql packages are available.
2. Problem:
"PostgreSQL is an advanced Object-Relational database management system
(DBMS). A number of security issues have been found that affect PostgreSQL
versions shipped with [Yellow Dog] Linux.
Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of
service and possibly execute arbitrary code via long arguments to the lpad
or rpad functions. CAN-2002-0972
Buffer overflow in the cash_words() function for PostgreSQL 7.2 and
earlier allows local users to cause a denial of service and possibly
execute arbitrary code via a malformed argument. CAN-2002-1397
Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows
attackers to cause a denial of service and possibly execute arbitrary
code via a long date string, also known as a vulnerability "in handling
long datetime input." CAN-2002-1398
Heap-based buffer overflow in the repeat() function for PostgreSQL
before 7.2.2 allows attackers to execute arbitrary code by causing
repeat() to generate a large string. CAN-2002-1400
Buffer overflows in circle_poly, path_encode and path_add allow attackers
to cause a denial of service and possibly execute arbitrary code. Note
that these issues have been fixed in our packages and in PostgreSQL CVS,
but are not included in PostgreSQL version 7.2.2 or 7.2.3. CAN-2002-1401
Buffer overflows in the TZ and SET TIME ZONE enivronment variables for
PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service
and possibly execute arbitrary code. CAN-2002-1402
Note that these vulnerabilities are only critical on open or shared systems
because connecting to the database is required before the vulnerabilities
can be exploited."
(from Red Hat Advisory)
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install postgresql
b) Updating manually...
Download the updates below and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
ppc/postgresql-7.1.3-4bp.2a.ppc.rpm
ppc/postgresql-contrib-7.1.3-4bp.2a.ppc.rpm
ppc/postgresql-devel-7.1.3-4bp.2a.ppc.rpm
ppc/postgresql-docs-7.1.3-4bp.2a.ppc.rpm
ppc/postgresql-jdbc-7.1.3-4bp.2a.ppc.rpm
ppc/postgresql-libs-7.1.3-4bp.2a.ppc.rpm
ppc/postgresql-odbc-7.1.3-4bp.2a.ppc.rpm
ppc/postgresql-perl-7.1.3-4bp.2a.ppc.rpm
ppc/postgresql-python-7.1.3-4bp.2a.ppc.rpm
ppc/postgresql-server-7.1.3-4bp.2a.ppc.rpm
ppc/postgresql-tcl-7.1.3-4bp.2a.ppc.rpm
ppc/postgresql-tk-7.1.3-4bp.2a.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
ccfe4664183f5204aa436a398a43927d ppc/postgresql-7.1.3-4bp.2a.ppc.rpm
f5b90ae92f11163990babf079a0f7d76 ppc/postgresql-contrib-7.1.3-4bp.2a.ppc.rpm
999da254bdaf902118f00fc74a1a7973 ppc/postgresql-devel-7.1.3-4bp.2a.ppc.rpm
653133756d9ca7c14c84246e4176f3e8 ppc/postgresql-docs-7.1.3-4bp.2a.ppc.rpm
d26cb48e36910c383e45af52cac20646 ppc/postgresql-jdbc-7.1.3-4bp.2a.ppc.rpm
dc55ca4530ffdf34eb1c5b1848ef47f0 ppc/postgresql-libs-7.1.3-4bp.2a.ppc.rpm
e0aa5673a8db983b860747b2f5719e9e ppc/postgresql-odbc-7.1.3-4bp.2a.ppc.rpm
e5530cba131a4873ddb04e488afbecf3 ppc/postgresql-perl-7.1.3-4bp.2a.ppc.rpm
54c06499c6d10e481a10def87fd85453 ppc/postgresql-python-7.1.3-4bp.2a.ppc.rpm
3cf7f82e4e02b026fa2934ba146251f3 ppc/postgresql-server-7.1.3-4bp.2a.ppc.rpm
7ff5c16a8f5f764cd8aac66377f9c83c ppc/postgresql-tcl-7.1.3-4bp.2a.ppc.rpm
08d8fe1a1d493b81908b9bf00293d15c ppc/postgresql-tk-7.1.3-4bp.2a.ppc.rpm
018fe890c410db698d409aeffc79688e SRPMS/postgresql-7.1.3-4bp.2a.src.rpm
I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml