CESA-2008:0038: RHSA-2008:0038

Description

Moderate: postgresql security updatePostgreSQL is an advanced Object-Relational database management system(DBMS). The postgresql packages include the client programs and librariesneeded to access a PostgreSQL DBMS server.Will Drewry discovered multiple flaws in PostgreSQL's regular expressionengine. An authenticated attacker could use these flaws to cause a denialof service by causing the PostgreSQL server to crash, enter an infiniteloop, or use extensive CPU and memory resources while processing queriescontaining specially crafted regular expressions. Applications that acceptregular expressions from untrusted sources may expose this problem tounauthorized attackers. (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067)A privilege escalation flaw was discovered in PostgreSQL. An authenticatedattacker could create an index function that would be executed withadministrator privileges during database maintenance tasks, such asdatabase vacuuming. (CVE-2007-6600)A privilege escalation flaw was discovered in PostgreSQL's Database Linklibrary (dblink). An authenticated attacker could use dblink to possiblyescalate privileges on systems with "trust" or "ident" authenticationconfigured. Please note that dblink functionality is not enabled bydefault, and can only by enabled by a database administrator on systemswith the postgresql-contrib package installed. (CVE-2007-3278,CVE-2007-6601)All postgresql users should upgrade to these updated packages, whichinclude PostgreSQL 7.4.19 and 8.1.11, and resolve these issues.