Bug 74505 - Multiple Postgresql Security Vulnerabilities
Summary: Multiple Postgresql Security Vulnerabilities
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: postgresql   
(Show other bugs)
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Andrew Overholt
QA Contact: David Lawrence
URL: http://postgresql.org/news.html
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-09-25 15:03 UTC by Need Real Name
Modified: 2007-04-18 16:46 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-01-17 14:31:16 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Need Real Name 2002-09-25 15:03:50 UTC
Quoted from the Postgresql site:

"Due to recent security vulnerabilities reported on BugTraq, concerning several
buffer overruns found in PostgreSQL, the PostgreSQL Global Development Team
today released v7.2.2 of PostgreSQL that fixes these vulnerabilities.

The following buffer overruns have been identified and addressed:

    * in handling long datetime input
    * in repeat()
    * in lpad() and rpad() with multibyte
    * in SET TIME ZONE and TZ env var "

I have not verified that this version is vulnerable, however it was released
months before the vulnerabilities were patched, so I expect that it is indeed
vulnerable.

Other URL's with information on these multiple vulnerabilities include:

http://lwn.net/Articles/8445/
http://online.securityfocus.com/archive/1/288334
http://online.securityfocus.com/archive/1/288305
http://online.securityfocus.com/archive/1/288036

Comment 1 Mark J. Cox 2002-12-18 14:32:30 UTC
An errata to address these flaws (and others) is in progress.  However note that
these are fairly minor security issues as they would require  the ability to be
able to connect to the database before they can be exploited.

Comment 2 Mark J. Cox 2003-01-17 14:31:16 UTC
This is fixed by
https://rhn.redhat.com/errata/RHSA-2003-001.html
which was released this week.


Note You need to log in before you can comment on or make changes to this bug.