rhsa-2003_010
Vulnerability from csaf_redhat
Published
2003-01-14 22:40
Modified
2024-11-05 16:14
Summary
Red Hat Security Advisory: : Updated PostgreSQL packages fix buffer overrun vulnerabilities
Notes
Topic
Updated PostgreSQL packages are available for Red Hat Linux 6.2, 7, 7.1,
and 7.2 where we have backported a number of security fixes. A separate
advisory deals with updated PostgreSQL packages for Red Hat Linux 7.3 and 8.0.
Details
PostgreSQL is an advanced Object-Relational database management system
(DBMS). A number of security issues have been found that affect PostgreSQL
versions shipped with Red Hat Linux.
Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of
service and possibly execute arbitrary code via long arguments to the lpad
or rpad functions. CAN-2002-0972
Buffer overflow in the cash_words() function for PostgreSQL 7.2 and
earlier allows local users to cause a denial of service and possibly
execute arbitrary code via a malformed argument. CAN-2002-1397
Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows
attackers to cause a denial of service and possibly execute arbitrary
code via a long date string, also known as a vulnerability "in handling
long datetime input." CAN-2002-1398
Heap-based buffer overflow in the repeat() function for PostgreSQL
before 7.2.2 allows attackers to execute arbitrary code by causing
repeat() to generate a large string. CAN-2002-1400
Buffer overflows in circle_poly, path_encode and path_add allow attackers
to cause a denial of service and possibly execute arbitrary code. Note
that these issues have been fixed in our packages and in PostgreSQL CVS,
but are not included in PostgreSQL version 7.2.2 or 7.2.3. CAN-2002-1401
Buffer overflows in the TZ and SET TIME ZONE enivronment variables for
PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service
and possibly execute arbitrary code. CAN-2002-1402
Note that these vulnerabilities are only critical on open or shared systems
because connecting to the database is required before the vulnerabilities
can be exploited.
The PostgreSQL Global Development Team has released versions of PostgreSQL
that fixes these vulnerabilities, and these fixes have been isolated and
backported to the various versions of PostgreSQL that originally shipped
with each Red Hat Linux distribution. All users of PostgreSQL are advised
to install these updated packages.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated PostgreSQL packages are available for Red Hat Linux 6.2, 7, 7.1,\nand 7.2 where we have backported a number of security fixes. A separate\nadvisory deals with updated PostgreSQL packages for Red Hat Linux 7.3 and 8.0.",
"title": "Topic"
},
{
"category": "general",
"text": "PostgreSQL is an advanced Object-Relational database management system\n(DBMS). A number of security issues have been found that affect PostgreSQL\nversions shipped with Red Hat Linux. \n\nBuffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of\nservice and possibly execute arbitrary code via long arguments to the lpad\nor rpad functions. CAN-2002-0972\n\nBuffer overflow in the cash_words() function for PostgreSQL 7.2 and\nearlier allows local users to cause a denial of service and possibly\nexecute arbitrary code via a malformed argument. CAN-2002-1397\n\nBuffer overflow in the date parser for PostgreSQL before 7.2.2 allows\nattackers to cause a denial of service and possibly execute arbitrary\ncode via a long date string, also known as a vulnerability \"in handling\nlong datetime input.\" CAN-2002-1398\n\nHeap-based buffer overflow in the repeat() function for PostgreSQL\nbefore 7.2.2 allows attackers to execute arbitrary code by causing\nrepeat() to generate a large string. CAN-2002-1400\n\nBuffer overflows in circle_poly, path_encode and path_add allow attackers\nto cause a denial of service and possibly execute arbitrary code. Note\nthat these issues have been fixed in our packages and in PostgreSQL CVS,\nbut are not included in PostgreSQL version 7.2.2 or 7.2.3. CAN-2002-1401\n\nBuffer overflows in the TZ and SET TIME ZONE enivronment variables for\nPostgreSQL 7.2.1 and earlier allow local users to cause a denial of service\nand possibly execute arbitrary code. CAN-2002-1402\n\nNote that these vulnerabilities are only critical on open or shared systems\nbecause connecting to the database is required before the vulnerabilities\ncan be exploited.\n\nThe PostgreSQL Global Development Team has released versions of PostgreSQL\nthat fixes these vulnerabilities, and these fixes have been isolated and\nbackported to the various versions of PostgreSQL that originally shipped\nwith each Red Hat Linux distribution. All users of PostgreSQL are advised\nto install these updated packages.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:010",
"url": "https://access.redhat.com/errata/RHSA-2003:010"
},
{
"category": "external",
"summary": "http://lwn.net/Articles/8445/",
"url": "http://lwn.net/Articles/8445/"
},
{
"category": "external",
"summary": "http://marc.theaimsgroup.com/?l=postgresql-announce\u0026m=103062536330644",
"url": "http://marc.theaimsgroup.com/?l=postgresql-announce\u0026m=103062536330644"
},
{
"category": "external",
"summary": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=102978152712430",
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=102978152712430"
},
{
"category": "external",
"summary": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=102987306029821",
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=102987306029821"
},
{
"category": "external",
"summary": "http://marc.theaimsgroup.com/?l=postgresql-general\u0026m=102995302604086",
"url": "http://marc.theaimsgroup.com/?l=postgresql-general\u0026m=102995302604086"
},
{
"category": "external",
"summary": "http://online.securityfocus.com/archive/1/288334",
"url": "http://online.securityfocus.com/archive/1/288334"
},
{
"category": "external",
"summary": "http://online.securityfocus.com/archive/1/288305",
"url": "http://online.securityfocus.com/archive/1/288305"
},
{
"category": "external",
"summary": "http://online.securityfocus.com/archive/1/288036",
"url": "http://online.securityfocus.com/archive/1/288036"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_010.json"
}
],
"title": "Red Hat Security Advisory: : Updated PostgreSQL packages fix buffer overrun vulnerabilities",
"tracking": {
"current_release_date": "2024-11-05T16:14:09+00:00",
"generator": {
"date": "2024-11-05T16:14:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.1.1"
}
},
"id": "RHSA-2003:010",
"initial_release_date": "2003-01-14T22:40:00+00:00",
"revision_history": [
{
"date": "2003-01-14T22:40:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-01-08T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-05T16:14:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 6.2",
"product": {
"name": "Red Hat Linux 6.2",
"product_id": "Red Hat Linux 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:6.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.0",
"product": {
"name": "Red Hat Linux 7.0",
"product_id": "Red Hat Linux 7.0",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.2",
"product": {
"name": "Red Hat Linux 7.2",
"product_id": "Red Hat Linux 7.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0972",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616832"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the functions (1) lpad or (2) rpad.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0972"
},
{
"category": "external",
"summary": "RHBZ#1616832",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616832"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0972",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0972"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0972",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0972"
}
],
"release_date": "2002-08-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-01-14T22:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL packages.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:010"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-1397",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616910"
}
],
"notes": [
{
"category": "description",
"text": "Vulnerability in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a large negative argument, possibly triggering an integer signedness error or buffer overflow.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-1397"
},
{
"category": "external",
"summary": "RHBZ#1616910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616910"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-1397",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-1397"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1397",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1397"
}
],
"release_date": "2002-08-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-01-14T22:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL packages.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:010"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-1398",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616911"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, aka a vulnerability \"in handling long datetime input.\"",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-1398"
},
{
"category": "external",
"summary": "RHBZ#1616911",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616911"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-1398",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-1398"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1398",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1398"
}
],
"release_date": "2002-08-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-01-14T22:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL packages.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:010"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-1400",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616912"
}
],
"notes": [
{
"category": "description",
"text": "Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-1400"
},
{
"category": "external",
"summary": "RHBZ#1616912",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616912"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-1400",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-1400"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1400",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1400"
}
],
"release_date": "2002-08-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-01-14T22:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL packages.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:010"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-1401",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616913"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-1401"
},
{
"category": "external",
"summary": "RHBZ#1616913",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616913"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-1401",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-1401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1401"
}
],
"release_date": "2002-08-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-01-14T22:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL packages.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:010"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-1402",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616914"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflows in the (1) TZ and (2) SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-1402"
},
{
"category": "external",
"summary": "RHBZ#1616914",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616914"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-1402",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-1402"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1402",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1402"
}
],
"release_date": "2002-08-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-01-14T22:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL packages.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:010"
}
],
"title": "security flaw"
}
]
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.