[UNIX] PostgreSQL Cumulative Security Release (2007-01-07)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



PostgreSQL Cumulative Security Release (2007-01-07)
------------------------------------------------------------------------


SUMMARY

Today the PostgreSQL Global Development Group is releasing updated
versions which patch five security vulnerabilities. These releases update
all current PostgreSQL versions, including 8.2, 8.1, 8.0, 7.4 and 7.3.
They are considered CRITICAL and PostgreSQL DBAs and sysadmins should
install the update as soon as they reasonably can. Our security team has
made all efforts to make these patches backwards-compatible, and upgrading
does not require converting your data files.

Please read the remainder of this message for further important details
and announcements.

DETAILS

Vulnerable Systems:
* PostgreSQL version 8.2
* PostgreSQL version 8.1
* PostgreSQL version 8.0
* PostgreSQL version 7.4
* PostgreSQL version 7.3

Immune Systems:
* PostgreSQL version 8.2.6
* PostgreSQL version 8.1.11
* PostgreSQL version 8.0.15
* PostgreSQL version 7.4.19
* PostgreSQL version 7.3.21

There are five security fixes included in this release. None of these
issues are known to have been exploited in the field; they were discovered
through security analysis.

Index Functions Privilege Escalation (CVE-2007-6600): as a unique feature,
PostgreSQL allows users to create indexes on the results of user-defined
functions, known as "expression indexes". This provided two
vulnerabilities to privilege escalation: (1) index functions were executed
as the superuser and not the table owner during VACUUM and ANALYZE, and
(2) that SET ROLE and SET SESSION AUTHORIZATION were permitted within
index functions. Both of these holes have now been closed.

Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression libraries
used by PostgreSQL allowed malicious users to initiate a denial-of-service
by passing certain regular expressions in SQL queries. First, users could
create infinite loops using some specific regular expressions. Second,
certain complex regular expressions could consume excessive amounts of
memory. Third, out-of-range backref numbers could be used to crash the
backend. All of these issues have been patched.

DBLink Privilege Escalation (CVE-2007-6601): DBLink functions combined
with local trust or ident authentication could be used by a malicious user
to gain superuser privileges. This issue has been fixed, and does not
affect users who have not installed DBLink (an optional module), or who
are using password authentication for local access. This same problem was
addressed in the previous release cycle (see CVE-2007-3278), but that
patch failed to close all forms of the loophole.

Download and Install
PostgreSQL minor releases 8.2.6, 8.1.11, 8.0.15, 7.4.19 and 7.3.21 are
available through our FTP mirror network:
Source Code: <http://www.postgresql.org/ftp/source/>
http://www.postgresql.org/ftp/source/
Binaries for some platforms: <http://www.postgresql.org/ftp/binary/>
http://www.postgresql.org/ftp/binary/

If you need additional information on the included updates, it's available
in our Release Notes (
<http://www.postgresql.org/docs/current/static/release.html>
http://www.postgresql.org/docs/current/static/release.html). These
upgrades can be copied directly over existing PostgreSQL binaries and do
not require dump-and-reload for any system which has been updated in the
last six months (older versions may require some specific post-update
steps; see the release notes).

As always, PostgreSQL update releases are cumulative. All security fixes
will be included in the upcoming version 8.3 release candidate. This
notice will be posted to the PostgreSQL security page:
<http://www.postgresql.org/support/security>
http://www.postgresql.org/support/security


ADDITIONAL INFORMATION

The information has been provided by <mailto:josh@xxxxxxxxxxxx> Josh
Berkus.
The original article can be found at:
<http://www.postgresql.org/support/security>
http://www.postgresql.org/support/security



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • PostgreSQL 2007-01-07 Cumulative Security Release
    ... They are considered CRITICAL and PostgreSQL DBAs and sysadmins should install the update as soon as they reasonably can. ... Our security team has made all efforts to make these patches backwards-compatible, and upgrading does not require converting your data files. ... Index Functions Privilege Escalation: as a unique feature, PostgreSQL allows users to create indexes on the results of user-defined functions, known as "expression indexes". ... three separate issues in the regular expression libraries used by PostgreSQL allowed malicious users to initiate a denial-of-service by passing certain regular expressions in SQL queries. ...
    (Bugtraq)
  • Re: postgresql configuration and set-up
    ... I CC'ed you on this because I don't have a formal bugreport ... utility working yet and thought it would helpful if you read this. ... required ident which is not installed with postgresql and should be ... Security issue and a Bug. ...
    (Debian-User)
  • Re: postgresql configuration and set-up
    ... Each DBA has to assess his own security requirements and ... change the setup to suit his own needs. ... > This puts the onus of security access to postgresql on postgresql and ... > ifconfig at package installation time if required. ...
    (Debian-User)
  • Re: postgresql configuration and set-up
    ... Each DBA has to assess his own security requirements and ... change the setup to suit his own needs. ... > This puts the onus of security access to postgresql on postgresql and ... > ifconfig at package installation time if required. ...
    (Debian-User)
  • Re: RegEx question - group negation
    ... begin Gerald Maschl wrote: ... > I need a regular expression that negates a group. ... Is it possible with regular expressions at ... With Windows appearance is primary, function is second, and security is addressed if enough complaints come in. ...
    (comp.unix.questions)