RHSA-2010:0430: postgresql84 security update

Description

PostgreSQL is an advanced object-relational database management system(DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in thePerl and Tcl languages, and are installed in trusted mode by default. Intrusted mode, certain operations, such as operating system level access,are restricted.A flaw was found in the way PostgreSQL enforced permission checks onscripts written in PL/Perl. If the PL/Perl procedural language wasregistered on a particular database, an authenticated database user runninga specially-crafted PL/Perl script could use this flaw to bypass intendedPL/Perl trusted mode restrictions, allowing them to run arbitrary Perlscripts with the privileges of the database server. (CVE-2010-1169)Red Hat would like to thank Tim Bunce for responsibly reporting theCVE-2010-1169 flaw.A flaw was found in the way PostgreSQL enforced permission checks onscripts written in PL/Tcl. If the PL/Tcl procedural language was registeredon a particular database, an authenticated database user running aspecially-crafted PL/Tcl script could use this flaw to bypass intendedPL/Tcl trusted mode restrictions, allowing them to run arbitrary Tclscripts with the privileges of the database server. (CVE-2010-1170)These packages upgrade PostgreSQL to version 8.4.4. Refer to the PostgreSQLRelease Notes for a list of changes:http://www.postgresql.org/docs/8.4/static/release.htmlAll PostgreSQL users are advised to upgrade to these updated packages,which correct these issues. If the postgresql service is running, it willbe automatically restarted after installing this update.