--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated PostgreSQL packages fix security issues Advisory ID: FLSA:157366 Issue date: 2006-02-27 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-1409 CVE-2005-1410 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated postgresql packages that fix several security vulnerabilities and risks of data loss are now available. PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: The PostgreSQL community discovered two distinct errors in initial system catalog entries that could allow authorized database users to crash the database and possibly escalate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-1409 and CVE-2005-1410 to these issues. Although installing this update will protect new (freshly initdb'd) database installations from these errors, administrators MUST TAKE MANUAL ACTION to repair the errors in pre-existing databases. The appropriate procedures are explained at http://www.postgresql.org/docs/8.0/static/release-7-4-8.html for Fedora Core 2 users, or http://www.postgresql.org/docs/8.0/static/release-7-3-10.html for Fedora Core 1 and Red Hat Linux 9 users. This update also includes fixes for several other errors, including two race conditions that could result in apparent data inconsistency or actual data loss. All users of PostgreSQL are advised to upgrade to these updated packages and to apply the recommended manual corrections to existing databases. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157366 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/postgresql-7.3.10-0.90.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-contrib-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-devel-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-docs-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-jdbc-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-libs-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-pl-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-python-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-server-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-tcl-7.3.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-test-7.3.10-0.90.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/postgresql-7.3.10-1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-contrib-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-devel-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-docs-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-jdbc-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-libs-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-pl-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-python-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-server-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-tcl-7.3.10-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-test-7.3.10-1.1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/postgresql-7.4.8-1.FC2.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-7.4.8-1.FC2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-contrib-7.4.8-1.FC2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-devel-7.4.8-1.FC2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-docs-7.4.8-1.FC2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-jdbc-7.4.8-1.FC2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-libs-7.4.8-1.FC2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-pl-7.4.8-1.FC2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-python-7.4.8-1.FC2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-server-7.4.8-1.FC2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-tcl-7.4.8-1.FC2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-test-7.4.8-1.FC2.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 88bf97be3530effdf1c7c3a779bfe7f80e7ea6be redhat/9/updates/i386/postgresql-7.3.10-0.90.1.legacy.i386.rpm 6130777335db38d64a44d52106353cd76154ca23 redhat/9/updates/i386/postgresql-contrib-7.3.10-0.90.1.legacy.i386.rpm 4bce5f9e6e80edb944a7aa24839f34c609c44c99 redhat/9/updates/i386/postgresql-devel-7.3.10-0.90.1.legacy.i386.rpm f6d7a63730df0a33b4f7582077472bf8cecc0f4e redhat/9/updates/i386/postgresql-docs-7.3.10-0.90.1.legacy.i386.rpm 3f76bb95ef0ce2da9b6a58993cdf7a1000e33019 redhat/9/updates/i386/postgresql-jdbc-7.3.10-0.90.1.legacy.i386.rpm a7a9187c41f2820ca9c2d2364f63859d33d21044 redhat/9/updates/i386/postgresql-libs-7.3.10-0.90.1.legacy.i386.rpm 0d0e4d4e566583111f30f4c06f255daeaf9bbd49 redhat/9/updates/i386/postgresql-pl-7.3.10-0.90.1.legacy.i386.rpm def9d9581141c219e013a875146c75b65af67e91 redhat/9/updates/i386/postgresql-python-7.3.10-0.90.1.legacy.i386.rpm 43590dabe9601ddbefbc6d9086c9b7dfb363acaa redhat/9/updates/i386/postgresql-server-7.3.10-0.90.1.legacy.i386.rpm e4769b82d862178d6d395f52ebcbd56a75e36e71 redhat/9/updates/i386/postgresql-tcl-7.3.10-0.90.1.legacy.i386.rpm fbd07e5eaad5e4ee5bd1b30e02001a043331daff redhat/9/updates/i386/postgresql-test-7.3.10-0.90.1.legacy.i386.rpm 57fc00132f9d66263729566666fd1eba3d7a9d2f redhat/9/updates/SRPMS/postgresql-7.3.10-0.90.1.legacy.src.rpm de59e42459e24cd8846fbd6d765bc892d621a0dc fedora/1/updates/i386/postgresql-7.3.10-1.1.legacy.i386.rpm 88abba3e24f01c6189be15b6481d77b135b6191c fedora/1/updates/i386/postgresql-contrib-7.3.10-1.1.legacy.i386.rpm 39a6163dffc299ba088f8f71c0393fca08648ae9 fedora/1/updates/i386/postgresql-devel-7.3.10-1.1.legacy.i386.rpm 0ac78a44e03f5b31113b7b110d35472aded5ecbd fedora/1/updates/i386/postgresql-docs-7.3.10-1.1.legacy.i386.rpm e8a17936599c1c2aa7a26056ee3449e43a460d07 fedora/1/updates/i386/postgresql-jdbc-7.3.10-1.1.legacy.i386.rpm 421fc09afacbeb0e6773a8c2c1dd2ebb45406fd9 fedora/1/updates/i386/postgresql-libs-7.3.10-1.1.legacy.i386.rpm f79b142305ab70af54594478e248830edfdb8247 fedora/1/updates/i386/postgresql-pl-7.3.10-1.1.legacy.i386.rpm ab86d2fbf57b470934131cb78916117fdf177a4d fedora/1/updates/i386/postgresql-python-7.3.10-1.1.legacy.i386.rpm 71c2abb0a89a19fa88eaa3a22048062ea4d938f3 fedora/1/updates/i386/postgresql-server-7.3.10-1.1.legacy.i386.rpm 92e2b78d179c4aa378875b6ab42c488cad6b44c7 fedora/1/updates/i386/postgresql-tcl-7.3.10-1.1.legacy.i386.rpm 44a3837dd2f7ae68790637be50fe1f29b8d86814 fedora/1/updates/i386/postgresql-test-7.3.10-1.1.legacy.i386.rpm de79d4182b566ec3c4a623cd26c51af2e8938ffb fedora/1/updates/SRPMS/postgresql-7.3.10-1.1.legacy.src.rpm 0046d088278b0c08740222a41ca511d0c0fa3d99 fedora/2/updates/i386/postgresql-7.4.8-1.FC2.1.legacy.i386.rpm 184dd4304908b60a216f3be9f0756fde449c729e fedora/2/updates/i386/postgresql-contrib-7.4.8-1.FC2.1.legacy.i386.rpm 8ae68e66295eddb1936c31fe15cf95662db4b345 fedora/2/updates/i386/postgresql-devel-7.4.8-1.FC2.1.legacy.i386.rpm 7e547b6ee8c0e1b06bc803aa45086971158ced10 fedora/2/updates/i386/postgresql-docs-7.4.8-1.FC2.1.legacy.i386.rpm 646cba1375fa3548aff2a791035f5eacb7927869 fedora/2/updates/i386/postgresql-jdbc-7.4.8-1.FC2.1.legacy.i386.rpm 642feb043c19a5584f60ef45713bf8249c689216 fedora/2/updates/i386/postgresql-libs-7.4.8-1.FC2.1.legacy.i386.rpm 6955df9f381e1683d1d79aa779f5f295e74e2b68 fedora/2/updates/i386/postgresql-pl-7.4.8-1.FC2.1.legacy.i386.rpm 99b1ee5e4c26370d39e52437c10bb9cdcbc5d273 fedora/2/updates/i386/postgresql-python-7.4.8-1.FC2.1.legacy.i386.rpm 167fb15d6f300bd4aaf8a0b080dfa42136ee9f1c fedora/2/updates/i386/postgresql-server-7.4.8-1.FC2.1.legacy.i386.rpm 62f4e5798b3179a49cbe8c515343a0db4687834b fedora/2/updates/i386/postgresql-tcl-7.4.8-1.FC2.1.legacy.i386.rpm 1c8feebe8cf8d2ef07cb004b10cd4cf69e654989 fedora/2/updates/i386/postgresql-test-7.4.8-1.FC2.1.legacy.i386.rpm c2b44a61fdbf644cecccb3edcf78a80dbda9cfa4 fedora/2/updates/SRPMS/postgresql-7.4.8-1.FC2.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1409 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1410 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature