- Vulnerability/
- RHSA-2010:0430
RHSA-2010:0430: Moderate: postgresql84 security update
First published: Wed May 19 2010(Updated: )
PostgreSQL is an advanced object-relational database management system<br>(DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in the<br>Perl and Tcl languages, and are installed in trusted mode by default. In<br>trusted mode, certain operations, such as operating system level access,<br>are restricted.<br>A flaw was found in the way PostgreSQL enforced permission checks on<br>scripts written in PL/Perl. If the PL/Perl procedural language was<br>registered on a particular database, an authenticated database user running<br>a specially-crafted PL/Perl script could use this flaw to bypass intended<br>PL/Perl trusted mode restrictions, allowing them to run arbitrary Perl<br>scripts with the privileges of the database server. (CVE-2010-1169)<br>Red Hat would like to thank Tim Bunce for responsibly reporting the<br>CVE-2010-1169 flaw.<br>A flaw was found in the way PostgreSQL enforced permission checks on<br>scripts written in PL/Tcl. If the PL/Tcl procedural language was registered<br>on a particular database, an authenticated database user running a<br>specially-crafted PL/Tcl script could use this flaw to bypass intended<br>PL/Tcl trusted mode restrictions, allowing them to run arbitrary Tcl<br>scripts with the privileges of the database server. (CVE-2010-1170)<br>These packages upgrade PostgreSQL to version 8.4.4. Refer to the PostgreSQL<br>Release Notes for a list of changes:<br><a href="http://www.postgresql.org/docs/8.4/static/release.html" target="_blank">http://www.postgresql.org/docs/8.4/static/release.html</a> All PostgreSQL users are advised to upgrade to these updated packages,<br>which correct these issues. If the postgresql service is running, it will<br>be automatically restarted after installing this update.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql84 | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84 | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-contrib | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-devel | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-devel | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-docs | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-libs | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-libs | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-plperl | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-plpython | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-pltcl | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-python | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-server | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-tcl | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-test | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-contrib | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-docs | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-plperl | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-plpython | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-pltcl | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-python | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-server | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-tcl | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
| redhat/postgresql84-test | <8.4.4-1.el5_5.1 | 8.4.4-1.el5_5.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2010:0430
- agent/software-canonical-lookup
- package-manager/redhat