Common Vulnerabilities and Exposures assigned an identifier CVE-2007-3278 to the following vulnerability: PostgreSQL 8.1 and probably later versions, when local trust authentication is enabled and the Database Link library (dblink) is installed, allows remote attackers to access arbitrary accounts and execute arbitrary SQL queries via a dblink host parameter that proxies the connection from 127.0.0.1. References: http://www.securityfocus.com/archive/1/archive/1/471541/100/0/threaded http://www.securityfocus.com/archive/1/471644/100/0/threaded http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf
Red Hat does not consider this do be a security issue. dblink is disabled in default configuration of PostgreSQL packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 and 5, and it is a configuration decision whether to grant local users arbitrary access.
This issue was addressed in: Red Hat Application Stack: http://rhn.redhat.com/errata/RHSA-2008-0040.html Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0038.html http://rhn.redhat.com/errata/RHSA-2008-0039.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2253