RHEL 2.1 : postgresql (RHSA-2002:301)

high Nessus Plugin ID 12343

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

Updated PostgreSQL packages are available which correct several minor security vulnerabilities.

[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1

PostgreSQL is an advanced Object-Relational database management system (DBMS). Red Hat Linux Advanced Server 2.1 shipped with PostgreSQL version 7.1.3 which has several security vulnerabilities.

Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the lpad or rpad functions. CVE-2002-0972

Buffer overflow in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a malformed argument. CVE-2002-1397

Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, referred to as a vulnerability 'in handling long datetime input.' CVE-2002-1398

Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string. CVE-2002-1400

Buffer overflows in circle_poly, path_encode, and path_add allow attackers to cause a denial of service and possibly execute arbitrary code. Note that these issues have been fixed in our packages and in PostgreSQL CVS, but are not included in PostgreSQL version 7.2.2 or 7.2.3. CVE-2002-1401

Buffer overflows in the TZ and SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code. CVE-2002-1402

Note that these vulnerabilities are only critical on open or shared systems because connecting to the database is required before the vulnerabilities can be exploited.

The PostgreSQL Global Development Team has released versions of PostgreSQL that fix these vulnerabilities, and these fixes have been isolated and backported into the updated 7.1.3 packages provided with this errata. All users of Red Hat Linux Advanced Server 2.1 who use PostgreSQL are advised to install these updated packages.

Solution

Update the affected packages.

See Also

https://online.securityfocus.com/archive/1/288036

https://access.redhat.com/errata/RHSA-2002:301

https://access.redhat.com/security/cve/cve-2002-0972

https://access.redhat.com/security/cve/cve-2002-1397

https://access.redhat.com/security/cve/cve-2002-1398

https://access.redhat.com/security/cve/cve-2002-1400

https://access.redhat.com/security/cve/cve-2002-1401

https://access.redhat.com/security/cve/cve-2002-1402

https://lwn.net/Articles/8445/

https://marc.info/?l=postgresql-announce&m=103062536330644

https://marc.info/?l=bugtraq&m=102978152712430

https://marc.info/?l=bugtraq&m=102987306029821

https://marc.info/?l=postgresql-general&m=102995302604086

https://online.securityfocus.com/archive/1/288334

https://online.securityfocus.com/archive/1/288305

Plugin Details

Severity: High

ID: 12343

File Name: redhat-RHSA-2002-301.nasl

Version: 1.27

Type: local

Agent: unix

Published: 7/6/2004

Updated: 1/14/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:postgresql-tk, p-cpe:/a:redhat:enterprise_linux:postgresql-tcl, p-cpe:/a:redhat:enterprise_linux:postgresql-contrib, p-cpe:/a:redhat:enterprise_linux:postgresql-odbc, p-cpe:/a:redhat:enterprise_linux:postgresql-jdbc, p-cpe:/a:redhat:enterprise_linux:postgresql-python, p-cpe:/a:redhat:enterprise_linux:postgresql-docs, p-cpe:/a:redhat:enterprise_linux:postgresql-libs, p-cpe:/a:redhat:enterprise_linux:postgresql-perl, p-cpe:/a:redhat:enterprise_linux:postgresql, p-cpe:/a:redhat:enterprise_linux:postgresql-devel, p-cpe:/a:redhat:enterprise_linux:postgresql-server, cpe:/o:redhat:enterprise_linux:2.1

Required KB Items: Host/cpu, Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 2/5/2003

Vulnerability Publication Date: 9/24/2002

Reference Information

CVE: CVE-2002-0972, CVE-2002-1397, CVE-2002-1398, CVE-2002-1400, CVE-2002-1401, CVE-2002-1402

CWE: 119

RHSA: 2002:301