- Vulnerability/
- RHSA-2008:0040
RHSA-2008:0040: Moderate: postgresql security update
First published: Fri Feb 01 2008(Updated: )
PostgreSQL is an advanced Object-Relational database management system<br>(DBMS). The postgresql packages include the client programs and libraries<br>needed to access a PostgreSQL DBMS server.<br>Will Drewry discovered multiple flaws in PostgreSQL's regular expression<br>engine. An authenticated attacker could use these flaws to cause a denial<br>of service by causing the PostgreSQL server to crash, enter an infinite<br>loop, or use extensive CPU and memory resources while processing queries<br>containing specially crafted regular expressions. Applications that accept<br>regular expressions from untrusted sources may expose this problem to<br>unauthorized attackers. (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067)<br>A privilege escalation flaw was discovered in PostgreSQL. An authenticated<br>attacker could create an index function that would be executed with<br>administrator privileges during database maintenance tasks, such as<br>database vacuuming. (CVE-2007-6600)<br>A privilege escalation flaw was discovered in PostgreSQL's Database Link<br>library (dblink). An authenticated attacker could use dblink to possibly<br>escalate privileges on systems with "trust" or "ident" authentication<br>configured. Please note that dblink functionality is not enabled by<br>default, and can only by enabled by a database administrator on systems<br>with the postgresql-contrib package installed.<br>(CVE-2007-3278, CVE-2007-6601)<br>All postgresql users should upgrade to these updated packages, which<br>include PostgreSQL 8.1.11 and 8.2.6, and resolve these issues.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=309141
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=315231
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=316511
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=400931
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=427127
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=427128
- http://www.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/errata/RHSA-2008:0040 (Advisory)
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2008:0040
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type