Yellow Dog Security Advisory: YDU-20030127-5

yellowdog-updates@lists.terrasoftsolutions.com yellowdog-updates@lists.terrasoftsolutions.com
Mon, 27 Jan 2003 01:24:16 -0700 (MST) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	postgresql
Issue Date:	January 27, 2003
Priority:	medium	
Advisory ID: 	YDU-20030127-5


1. 	Topic:

	Updated postgresql packages are available.


2. 	Problem:

	"PostgreSQL is an advanced Object-Relational database management system
	(DBMS). A number of security issues have been found that affect PostgreSQL
	versions shipped with [Yellow Dog] Linux.

	Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of
	service and possibly execute arbitrary code via long arguments to the lpad
	or rpad functions. CAN-2002-0972

	Buffer overflow in the cash_words() function for PostgreSQL 7.2 and
	earlier allows local users to cause a denial of service and possibly
	execute arbitrary code via a malformed argument. CAN-2002-1397

	Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows
	attackers to cause a denial of service and possibly execute arbitrary
	code via a long date string, also known as a vulnerability "in handling
	long datetime input." CAN-2002-1398

	Heap-based buffer overflow in the repeat() function for PostgreSQL
	before 7.2.2 allows attackers to execute arbitrary code by causing
	repeat() to generate a large string. CAN-2002-1400

	Buffer overflows in circle_poly, path_encode and path_add allow attackers
	to cause a denial of service and possibly execute arbitrary code. Note
	that these issues have been fixed in our packages and in PostgreSQL CVS,
	but are not included in PostgreSQL version 7.2.2 or 7.2.3. CAN-2002-1401

	Buffer overflows in the TZ and SET TIME ZONE enivronment variables for
	PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service
	and possibly execute arbitrary code. CAN-2002-1402

	Note that these vulnerabilities are only critical on open or shared systems
	because connecting to the database is required before the vulnerabilities
	can be exploited."
	(from Red Hat Advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install postgresql

   	b) Updating manually...
	Download the updates below and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]
		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
			ppc/postgresql-7.1.3-4bp.2a.ppc.rpm
			ppc/postgresql-contrib-7.1.3-4bp.2a.ppc.rpm
			ppc/postgresql-devel-7.1.3-4bp.2a.ppc.rpm
			ppc/postgresql-docs-7.1.3-4bp.2a.ppc.rpm
			ppc/postgresql-jdbc-7.1.3-4bp.2a.ppc.rpm
			ppc/postgresql-libs-7.1.3-4bp.2a.ppc.rpm
			ppc/postgresql-odbc-7.1.3-4bp.2a.ppc.rpm
			ppc/postgresql-perl-7.1.3-4bp.2a.ppc.rpm
			ppc/postgresql-python-7.1.3-4bp.2a.ppc.rpm
			ppc/postgresql-server-7.1.3-4bp.2a.ppc.rpm
			ppc/postgresql-tcl-7.1.3-4bp.2a.ppc.rpm
			ppc/postgresql-tk-7.1.3-4bp.2a.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
ccfe4664183f5204aa436a398a43927d  ppc/postgresql-7.1.3-4bp.2a.ppc.rpm
f5b90ae92f11163990babf079a0f7d76  ppc/postgresql-contrib-7.1.3-4bp.2a.ppc.rpm
999da254bdaf902118f00fc74a1a7973  ppc/postgresql-devel-7.1.3-4bp.2a.ppc.rpm
653133756d9ca7c14c84246e4176f3e8  ppc/postgresql-docs-7.1.3-4bp.2a.ppc.rpm
d26cb48e36910c383e45af52cac20646  ppc/postgresql-jdbc-7.1.3-4bp.2a.ppc.rpm
dc55ca4530ffdf34eb1c5b1848ef47f0  ppc/postgresql-libs-7.1.3-4bp.2a.ppc.rpm
e0aa5673a8db983b860747b2f5719e9e  ppc/postgresql-odbc-7.1.3-4bp.2a.ppc.rpm
e5530cba131a4873ddb04e488afbecf3  ppc/postgresql-perl-7.1.3-4bp.2a.ppc.rpm
54c06499c6d10e481a10def87fd85453  ppc/postgresql-python-7.1.3-4bp.2a.ppc.rpm
3cf7f82e4e02b026fa2934ba146251f3  ppc/postgresql-server-7.1.3-4bp.2a.ppc.rpm
7ff5c16a8f5f764cd8aac66377f9c83c  ppc/postgresql-tcl-7.1.3-4bp.2a.ppc.rpm
08d8fe1a1d493b81908b9bf00293d15c  ppc/postgresql-tk-7.1.3-4bp.2a.ppc.rpm
018fe890c410db698d409aeffc79688e  SRPMS/postgresql-7.1.3-4bp.2a.src.rpm


I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml