Rapid7 Vulnerability & Exploit Database

RHSA-2010:0430: postgresql84 security update

Back to Search

RHSA-2010:0430: postgresql84 security update

Severity
9
CVSS
(AV:N/AC:M/Au:S/C:C/I:C/A:C)
Published
05/19/2010
Created
07/25/2018
Added
05/28/2010
Modified
07/04/2017

Description

PostgreSQL is an advanced object-relational database management system(DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in thePerl and Tcl languages, and are installed in trusted mode by default. Intrusted mode, certain operations, such as operating system level access,are restricted.A flaw was found in the way PostgreSQL enforced permission checks onscripts written in PL/Perl. If the PL/Perl procedural language wasregistered on a particular database, an authenticated database user runninga specially-crafted PL/Perl script could use this flaw to bypass intendedPL/Perl trusted mode restrictions, allowing them to run arbitrary Perlscripts with the privileges of the database server. (CVE-2010-1169)Red Hat would like to thank Tim Bunce for responsibly reporting theCVE-2010-1169 flaw.A flaw was found in the way PostgreSQL enforced permission checks onscripts written in PL/Tcl. If the PL/Tcl procedural language was registeredon a particular database, an authenticated database user running aspecially-crafted PL/Tcl script could use this flaw to bypass intendedPL/Tcl trusted mode restrictions, allowing them to run arbitrary Tclscripts with the privileges of the database server. (CVE-2010-1170)These packages upgrade PostgreSQL to version 8.4.4. Refer to the PostgreSQLRelease Notes for a list of changes:http://www.postgresql.org/docs/8.4/static/release.htmlAll PostgreSQL users are advised to upgrade to these updated packages,which correct these issues. If the postgresql service is running, it willbe automatically restarted after installing this update.

Solution(s)

  • redhat-upgrade-postgresql84
  • redhat-upgrade-postgresql84-contrib
  • redhat-upgrade-postgresql84-devel
  • redhat-upgrade-postgresql84-docs
  • redhat-upgrade-postgresql84-libs
  • redhat-upgrade-postgresql84-plperl
  • redhat-upgrade-postgresql84-plpython
  • redhat-upgrade-postgresql84-pltcl
  • redhat-upgrade-postgresql84-python
  • redhat-upgrade-postgresql84-server
  • redhat-upgrade-postgresql84-tcl
  • redhat-upgrade-postgresql84-test

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;