Yellow Dog Linux Security Announcement -------------------------------------- Package: postgresql Issue Date: January 27, 2003 Priority: medium Advisory ID: YDU-20030127-5 1. Topic: Updated postgresql packages are available. 2. Problem: "PostgreSQL is an advanced Object-Relational database management system (DBMS). A number of security issues have been found that affect PostgreSQL versions shipped with [Yellow Dog] Linux. Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the lpad or rpad functions. CAN-2002-0972 Buffer overflow in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a malformed argument. CAN-2002-1397 Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, also known as a vulnerability "in handling long datetime input." CAN-2002-1398 Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string. CAN-2002-1400 Buffer overflows in circle_poly, path_encode and path_add allow attackers to cause a denial of service and possibly execute arbitrary code. Note that these issues have been fixed in our packages and in PostgreSQL CVS, but are not included in PostgreSQL version 7.2.2 or 7.2.3. CAN-2002-1401 Buffer overflows in the TZ and SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code. CAN-2002-1402 Note that these vulnerabilities are only critical on open or shared systems because connecting to the database is required before the vulnerabilities can be exploited." (from Red Hat Advisory) 3. Solution: a) Updating via apt... We suggest that you use the apt-get program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: apt-get update apt-get install postgresql b) Updating manually... Download the updates below and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/ ppc/postgresql-7.1.3-4bp.2a.ppc.rpm ppc/postgresql-contrib-7.1.3-4bp.2a.ppc.rpm ppc/postgresql-devel-7.1.3-4bp.2a.ppc.rpm ppc/postgresql-docs-7.1.3-4bp.2a.ppc.rpm ppc/postgresql-jdbc-7.1.3-4bp.2a.ppc.rpm ppc/postgresql-libs-7.1.3-4bp.2a.ppc.rpm ppc/postgresql-odbc-7.1.3-4bp.2a.ppc.rpm ppc/postgresql-perl-7.1.3-4bp.2a.ppc.rpm ppc/postgresql-python-7.1.3-4bp.2a.ppc.rpm ppc/postgresql-server-7.1.3-4bp.2a.ppc.rpm ppc/postgresql-tcl-7.1.3-4bp.2a.ppc.rpm ppc/postgresql-tk-7.1.3-4bp.2a.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- ccfe4664183f5204aa436a398a43927d ppc/postgresql-7.1.3-4bp.2a.ppc.rpm f5b90ae92f11163990babf079a0f7d76 ppc/postgresql-contrib-7.1.3-4bp.2a.ppc.rpm 999da254bdaf902118f00fc74a1a7973 ppc/postgresql-devel-7.1.3-4bp.2a.ppc.rpm 653133756d9ca7c14c84246e4176f3e8 ppc/postgresql-docs-7.1.3-4bp.2a.ppc.rpm d26cb48e36910c383e45af52cac20646 ppc/postgresql-jdbc-7.1.3-4bp.2a.ppc.rpm dc55ca4530ffdf34eb1c5b1848ef47f0 ppc/postgresql-libs-7.1.3-4bp.2a.ppc.rpm e0aa5673a8db983b860747b2f5719e9e ppc/postgresql-odbc-7.1.3-4bp.2a.ppc.rpm e5530cba131a4873ddb04e488afbecf3 ppc/postgresql-perl-7.1.3-4bp.2a.ppc.rpm 54c06499c6d10e481a10def87fd85453 ppc/postgresql-python-7.1.3-4bp.2a.ppc.rpm 3cf7f82e4e02b026fa2934ba146251f3 ppc/postgresql-server-7.1.3-4bp.2a.ppc.rpm 7ff5c16a8f5f764cd8aac66377f9c83c ppc/postgresql-tcl-7.1.3-4bp.2a.ppc.rpm 08d8fe1a1d493b81908b9bf00293d15c ppc/postgresql-tk-7.1.3-4bp.2a.ppc.rpm 018fe890c410db698d409aeffc79688e SRPMS/postgresql-7.1.3-4bp.2a.src.rpm I wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more information. For information regarding the usage of apt-get, see: http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml