Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0025 -- RHSA-2003:010-10 and RHSA-2003:001-16 Updated PostgreSQL packages fix buffer overrun vulnerabilities, security issues and bugs 15 January 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PostgreSQL Vendor: Red Hat Operating System: Red Hat Linux 6.2 Red Hat Linux 7.0 Red Hat Linux 7.1 Red Hat Linux 7.2 Red Hat Linux 7.3 Red Hat Linux 8.0 Impact: Denial of Service Execute Arbitrary Code/Commands Access Required: Existing Account Comment: As stated in the following bulletins: "these vulnerabilities are only critical on open or shared systems because connecting to the database is required before the vulnerabilities can be exploited." Bulletins included are: RHSA-2003:010-10 - Updated PostgreSQL packages fix buffer overrun vulnerabilities RHSA-2003:001-16 - Updated PostgreSQL packages fix security issues and bugs - --------------------------BEGIN INCLUDED TEXT-------------------- - --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated PostgreSQL packages fix buffer overrun vulnerabilities Advisory ID: RHSA-2003:010-10 Issue date: 2003-01-14 Updated on: 2003-01-14 Product: Red Hat Linux Keywords: PostgreSQL datetime lpad rpad multibyte Cross references: RHSA-2002:301 RHSA-2003:001 Obsoletes: CVE Names: CAN-2002-0972 CAN-2002-1397 CAN-2002-1398 CAN-2002-1400 CAN-2002-1401 CAN-2002-1402 - --------------------------------------------------------------------- 1. Topic: Updated PostgreSQL packages are available for Red Hat Linux 6.2, 7, 7.1, and 7.2 where we have backported a number of security fixes. A separate advisory deals with updated PostgreSQL packages for Red Hat Linux 7.3 and 8.0. 2. Relevant releases/architectures: Red Hat Linux 6.2 - i386 Red Hat Linux 7.0 - i386 Red Hat Linux 7.1 - i386 Red Hat Linux 7.2 - i386, ia64 3. Problem description: PostgreSQL is an advanced Object-Relational database management system (DBMS). A number of security issues have been found that affect PostgreSQL versions shipped with Red Hat Linux. Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the lpad or rpad functions. CAN-2002-0972 Buffer overflow in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a malformed argument. CAN-2002-1397 Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, also known as a vulnerability "in handling long datetime input." CAN-2002-1398 Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string. CAN-2002-1400 Buffer overflows in circle_poly, path_encode and path_add allow attackers to cause a denial of service and possibly execute arbitrary code. Note that these issues have been fixed in our packages and in PostgreSQL CVS, but are not included in PostgreSQL version 7.2.2 or 7.2.3. CAN-2002-1401 Buffer overflows in the TZ and SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code. CAN-2002-1402 Note that these vulnerabilities are only critical on open or shared systems because connecting to the database is required before the vulnerabilities can be exploited. The PostgreSQL Global Development Team has released versions of PostgreSQL that fixes these vulnerabilities, and these fixes have been isolated and backported to the various versions of PostgreSQL that originally shipped with each Red Hat Linux distribution. All users of PostgreSQL are advised to install these updated packages. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Please note that this update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Note that no initdb will be necessary from previous PostgreSQL packages. 5. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/postgresql-6.5.3-7.3.src.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/postgresql-6.5.3-7.3.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/postgresql-python-6.5.3-7.3.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/postgresql-devel-6.5.3-7.3.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/postgresql-server-6.5.3-7.3.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/postgresql-jdbc-6.5.3-7.3.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/postgresql-tcl-6.5.3-7.3.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/postgresql-odbc-6.5.3-7.3.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/postgresql-test-6.5.3-7.3.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/postgresql-perl-6.5.3-7.3.i386.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/postgresql-7.0.2-18.2.src.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/postgresql-7.0.2-18.2.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/postgresql-python-7.0.2-18.2.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/postgresql-devel-7.0.2-18.2.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/postgresql-server-7.0.2-18.2.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/postgresql-jdbc-7.0.2-18.2.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/postgresql-tcl-7.0.2-18.2.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/postgresql-odbc-7.0.2-18.2.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/postgresql-tk-7.0.2-18.2.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/postgresql-perl-7.0.2-18.2.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/postgresql-7.0.3-9.2.src.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/postgresql-7.0.3-9.2.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/postgresql-python-7.0.3-9.2.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/postgresql-devel-7.0.3-9.2.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/postgresql-server-7.0.3-9.2.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/postgresql-jdbc-7.0.3-9.2.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/postgresql-tcl-7.0.3-9.2.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/postgresql-odbc-7.0.3-9.2.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/postgresql-tk-7.0.3-9.2.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/postgresql-perl-7.0.3-9.2.i386.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/postgresql-7.1.3-4bp.2.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/postgresql-7.1.3-4bp.2.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/postgresql-odbc-7.1.3-4bp.2.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/postgresql-contrib-7.1.3-4bp.2.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/postgresql-perl-7.1.3-4bp.2.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/postgresql-devel-7.1.3-4bp.2.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/postgresql-python-7.1.3-4bp.2.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/postgresql-docs-7.1.3-4bp.2.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/postgresql-server-7.1.3-4bp.2.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/postgresql-jdbc-7.1.3-4bp.2.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/postgresql-tcl-7.1.3-4bp.2.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/postgresql-libs-7.1.3-4bp.2.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/postgresql-tk-7.1.3-4bp.2.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/postgresql-7.1.3-4bp.2.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/postgresql-odbc-7.1.3-4bp.2.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/postgresql-contrib-7.1.3-4bp.2.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/postgresql-perl-7.1.3-4bp.2.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/postgresql-devel-7.1.3-4bp.2.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/postgresql-python-7.1.3-4bp.2.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/postgresql-docs-7.1.3-4bp.2.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/postgresql-server-7.1.3-4bp.2.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/postgresql-jdbc-7.1.3-4bp.2.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/postgresql-tcl-7.1.3-4bp.2.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/postgresql-libs-7.1.3-4bp.2.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/postgresql-tk-7.1.3-4bp.2.ia64.rpm 6. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- 732b8eae39abc767f205a1b3cf16ab77 6.2/en/os/SRPMS/postgresql-6.5.3-7.3.src.rpm e7409539b4793a88f6ca068c67ad930a 6.2/en/os/i386/postgresql-6.5.3-7.3.i386.rpm 8af6a1d62449e06d397bf4996a3f510e 6.2/en/os/i386/postgresql-devel-6.5.3-7.3.i386.rpm 110007dd317f9b1ae7b0554c1713e3a4 6.2/en/os/i386/postgresql-jdbc-6.5.3-7.3.i386.rpm 17dcc19ff76f273110fbac5a0208e512 6.2/en/os/i386/postgresql-odbc-6.5.3-7.3.i386.rpm 971bc763d760f8b115fba9298521e96a 6.2/en/os/i386/postgresql-perl-6.5.3-7.3.i386.rpm b24f8d7e80ee9ab3c8e373adab507256 6.2/en/os/i386/postgresql-python-6.5.3-7.3.i386.rpm 3024dd8f8628b7af20218d6f3891d2ec 6.2/en/os/i386/postgresql-server-6.5.3-7.3.i386.rpm 6616e93a6b7a29930aa8414d812beb24 6.2/en/os/i386/postgresql-tcl-6.5.3-7.3.i386.rpm 194d0ce61f98f52dd1baf56bbd6443a8 6.2/en/os/i386/postgresql-test-6.5.3-7.3.i386.rpm ac0d75c27ebcd36170f63c60e037f489 7.0/en/os/SRPMS/postgresql-7.0.2-18.2.src.rpm 40f699d6f548c6a90a46f3e85feba1ee 7.0/en/os/i386/postgresql-7.0.2-18.2.i386.rpm ef2087d781505c3c038d8b24bed94540 7.0/en/os/i386/postgresql-devel-7.0.2-18.2.i386.rpm 4e6ce0a5abff847f96203a1c5b61c8ec 7.0/en/os/i386/postgresql-jdbc-7.0.2-18.2.i386.rpm 3cb5ff6e810db8fdcf249f5b150c5d22 7.0/en/os/i386/postgresql-odbc-7.0.2-18.2.i386.rpm fa4a04603929c41c9f27f6db6c13e840 7.0/en/os/i386/postgresql-perl-7.0.2-18.2.i386.rpm 3c3b41c7138aa0c33817324f91296127 7.0/en/os/i386/postgresql-python-7.0.2-18.2.i386.rpm 83e81d641b6fb1d803579d35bd1bcb72 7.0/en/os/i386/postgresql-server-7.0.2-18.2.i386.rpm c6423d569bfed888052c2d8089b6831f 7.0/en/os/i386/postgresql-tcl-7.0.2-18.2.i386.rpm 3bd6a70af12569f7664191e6822059cc 7.0/en/os/i386/postgresql-tk-7.0.2-18.2.i386.rpm 92251aabd8b1e84d14e318914f3a5d2d 7.1/en/os/SRPMS/postgresql-7.0.3-9.2.src.rpm dcb353615e8f57e389f48f3e4bf26bc8 7.1/en/os/i386/postgresql-7.0.3-9.2.i386.rpm e73b9ebc33c2d007abbf10cc50db591e 7.1/en/os/i386/postgresql-devel-7.0.3-9.2.i386.rpm ed79953de3b1af9a27834376456cd4b7 7.1/en/os/i386/postgresql-jdbc-7.0.3-9.2.i386.rpm 3f4ee5dcefb0719a34e89fb036820399 7.1/en/os/i386/postgresql-odbc-7.0.3-9.2.i386.rpm 8e4cfea0f12eaed1294d923982581c2e 7.1/en/os/i386/postgresql-perl-7.0.3-9.2.i386.rpm 612dadb4b08805f2a4b661b4e43be923 7.1/en/os/i386/postgresql-python-7.0.3-9.2.i386.rpm 569cf3720c28f1971d6d090ca65da993 7.1/en/os/i386/postgresql-server-7.0.3-9.2.i386.rpm 5f3137d3ce73e129abbbd9f1b4d5541b 7.1/en/os/i386/postgresql-tcl-7.0.3-9.2.i386.rpm f358ff4687c07cb82d9264af8ae79a91 7.1/en/os/i386/postgresql-tk-7.0.3-9.2.i386.rpm 27ec75858d8f15e4333c78ca816186dc 7.2/en/os/SRPMS/postgresql-7.1.3-4bp.2.src.rpm 88ca89fd6c48d158604cb19c4721b8fb 7.2/en/os/i386/postgresql-7.1.3-4bp.2.i386.rpm 673229fe4d65ad583213fbad4199921a 7.2/en/os/i386/postgresql-contrib-7.1.3-4bp.2.i386.rpm 901624d92faeadbc56597a465e23313a 7.2/en/os/i386/postgresql-devel-7.1.3-4bp.2.i386.rpm 31008741d14629a520c99db5c3637f99 7.2/en/os/i386/postgresql-docs-7.1.3-4bp.2.i386.rpm ada8e8568e3626a2f7355543765e8317 7.2/en/os/i386/postgresql-jdbc-7.1.3-4bp.2.i386.rpm 96062e762166c1990448caf6c3334881 7.2/en/os/i386/postgresql-libs-7.1.3-4bp.2.i386.rpm f0b3cf36ce4467c0dc4ca5a1e0b78b29 7.2/en/os/i386/postgresql-odbc-7.1.3-4bp.2.i386.rpm 539669074df1afb9d6c7fac0ac51ed3d 7.2/en/os/i386/postgresql-perl-7.1.3-4bp.2.i386.rpm fa64bdf8c2b2626fcdedbe1def872b01 7.2/en/os/i386/postgresql-python-7.1.3-4bp.2.i386.rpm 67fe5d278a89c5cffb490d5e803390d2 7.2/en/os/i386/postgresql-server-7.1.3-4bp.2.i386.rpm f4ff49541ccf2cee6ab9f5d72c0a3003 7.2/en/os/i386/postgresql-tcl-7.1.3-4bp.2.i386.rpm 7682e8c17b6658be3cb102f3ddb06fd9 7.2/en/os/i386/postgresql-tk-7.1.3-4bp.2.i386.rpm 04af46f5c9f0cfcd1e4c12c8363bfffd 7.2/en/os/ia64/postgresql-7.1.3-4bp.2.ia64.rpm f0b512e2da303b9450fc686d50fe8c9a 7.2/en/os/ia64/postgresql-contrib-7.1.3-4bp.2.ia64.rpm 976a6297da982a1c381a2c2edee2f6fe 7.2/en/os/ia64/postgresql-devel-7.1.3-4bp.2.ia64.rpm 90609e955c4a271820be3948b45489f7 7.2/en/os/ia64/postgresql-docs-7.1.3-4bp.2.ia64.rpm 988963a98acd91b25b8eb927229af65b 7.2/en/os/ia64/postgresql-jdbc-7.1.3-4bp.2.ia64.rpm 667849e8e0cd899451b46bd7fad26b59 7.2/en/os/ia64/postgresql-libs-7.1.3-4bp.2.ia64.rpm 0328a3c04aba598d48251ccd2816498a 7.2/en/os/ia64/postgresql-odbc-7.1.3-4bp.2.ia64.rpm aea10ae95c6e2f3c319f16fabc2023eb 7.2/en/os/ia64/postgresql-perl-7.1.3-4bp.2.ia64.rpm 228a329364b0cff9a2517042527907fe 7.2/en/os/ia64/postgresql-python-7.1.3-4bp.2.ia64.rpm bbe6bee4fdec718afb57e94d7410795a 7.2/en/os/ia64/postgresql-server-7.1.3-4bp.2.ia64.rpm 9ca311fbdbe517743e98d78fd3e90fc6 7.2/en/os/ia64/postgresql-tcl-7.1.3-4bp.2.ia64.rpm ad36915a19a545d10197976b6753bd28 7.2/en/os/ia64/postgresql-tk-7.1.3-4bp.2.ia64.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum <filename> 7. References: http://lwn.net/Articles/8445/ http://marc.theaimsgroup.com/?l=postgresql-announce&m=103062536330644 http://marc.theaimsgroup.com/?l=bugtraq&m=102978152712430 http://marc.theaimsgroup.com/?l=bugtraq&m=102987306029821 http://marc.theaimsgroup.com/?l=postgresql-general&m=102995302604086 http://online.securityfocus.com/archive/1/288334 http://online.securityfocus.com/archive/1/288305 http://online.securityfocus.com/archive/1/288036 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0972 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1397 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1398 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1402 8. Contact: The Red Hat security contact is <security@redhat.com>. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. - --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated PostgreSQL packages fix security issues and bugs Advisory ID: RHSA-2003:001-16 Issue date: 2003-01-14 Updated on: 2003-01-14 Product: Red Hat Linux Keywords: PostgreSQL VACUUM pre-1970 spinlock Cross references: Obsoletes: CVE Names: CAN-2002-0972 CAN-2002-1397 CAN-2002-1398 CAN-2002-1400 CAN-2002-1401 CAN-2002-1402 - --------------------------------------------------------------------- 1. Topic: Updated PostgreSQL packages are available for Red Hat Linux 7.3 and 8.0. These packages correct several security and other bugs. A separate advisory deals with updated PostgreSQL packages for Red Hat Linux 6.2, 7, 7.1, and 7.2. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 3. Problem description: PostgreSQL is an advanced Object-Relational database management system. Red Hat Linux 7.3 shipped with PostgreSQL version 7.2.1. Red Hat Linux 8.0 shipped with PostgreSQL version 7.2.2. PostgreSQL versions 7.2.1 and 7.2.2 contain a serious issue with the VACUUM command when it is run by a non-superuser. It is possible for the system to prematurely remove old transaction log data (pg_clog files), which can result in unrecoverable data loss. A number of minor security issues affect the PostgreSQL 7.2.1 packages shipped with Red Hat Linux 7.3 only: 1. Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the lpad or rpad functions. CAN-2002-0972 2. Buffer overflow in the cash_words() function allows local users to cause a denial of service and possibly execute arbitrary code via a malformed argument. CAN-2002-1397 3. Buffer overflow in the date parser allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, also known as a vulnerability "in handling long datetime input." CAN-2002-1398 4. Heap-based buffer overflow in the repeat() function allows attackers to execute arbitrary code by causing repeat() to generate a large string. CAN-2002-1400 5. Buffer overflows in the TZ and SET TIME ZONE enivronment variables allow local users to cause a denial of service and possibly execute arbitrary code. CAN-2002-1402 Additionally, buffer overflows in circle_poly, path_encode and path_add allow attackers to cause a denial of service and possibly execute arbitrary code. Note that these overflows have been fixed in our erratum packages and in PostgreSQL CVS, but are not fixed in the released versions of PostgreSQL version 7.2.3. CAN-2002-1401 The above vulnerabilities are only critical on open or shared systems because connecting to the database is required before the vulnerabilities can be exploited. This update also contains fixes for several other PostgreSQL bugs, including handling of pre-1970 date values in newer versions of glibc, possible server shutdown hangs, spinlock hangs on SMP PPC machines, and pg_dump improperly dumping with the FULL JOIN USING clauses. All users of PostgreSQL should upgrade to these errata packages containing PostgreSQL 7.2.3 with additional patches to correct all these issues. Note that running initdb is not necessary when upgrading from 7.2.1 or 7.2.2 to the packages contained in this errata. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/postgresql-7.2.3-5.73.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/postgresql-7.2.3-5.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/postgresql-libs-7.2.3-5.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/postgresql-server-7.2.3-5.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/postgresql-docs-7.2.3-5.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/postgresql-contrib-7.2.3-5.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/postgresql-devel-7.2.3-5.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/postgresql-tcl-7.2.3-5.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/postgresql-tk-7.2.3-5.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/postgresql-odbc-7.2.3-5.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/postgresql-perl-7.2.3-5.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/postgresql-python-7.2.3-5.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/postgresql-jdbc-7.2.3-5.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/postgresql-test-7.2.3-5.73.i386.rpm Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/postgresql-7.2.3-5.80.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/postgresql-7.2.3-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/postgresql-libs-7.2.3-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/postgresql-server-7.2.3-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/postgresql-docs-7.2.3-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/postgresql-contrib-7.2.3-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/postgresql-devel-7.2.3-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/postgresql-tcl-7.2.3-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/postgresql-tk-7.2.3-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/postgresql-odbc-7.2.3-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/postgresql-perl-7.2.3-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/postgresql-python-7.2.3-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/postgresql-jdbc-7.2.3-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/postgresql-test-7.2.3-5.80.i386.rpm 6. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- 34e14436281e3beea42ee984bceabeb8 7.3/en/os/SRPMS/postgresql-7.2.3-5.73.src.rpm edba57794dc188ddb4dd8408d2b351e2 7.3/en/os/i386/postgresql-7.2.3-5.73.i386.rpm e71f0771204fe8293f1aa90f09f6481e 7.3/en/os/i386/postgresql-contrib-7.2.3-5.73.i386.rpm 58e695f58687a72bfc1ead13a301dae3 7.3/en/os/i386/postgresql-devel-7.2.3-5.73.i386.rpm c8ff56f25004f8da3fcab97a00645a3c 7.3/en/os/i386/postgresql-docs-7.2.3-5.73.i386.rpm 551c10daca662b4514ed0ca9f57181e3 7.3/en/os/i386/postgresql-jdbc-7.2.3-5.73.i386.rpm 517c6bd62d0a82cdbb9a452b09e42ded 7.3/en/os/i386/postgresql-libs-7.2.3-5.73.i386.rpm a942a652ae89df1aa0284b7c73348187 7.3/en/os/i386/postgresql-odbc-7.2.3-5.73.i386.rpm 51865efb9f3e491d497b18713d12a370 7.3/en/os/i386/postgresql-perl-7.2.3-5.73.i386.rpm 743471a3e5a2dbbaa376b58583519e92 7.3/en/os/i386/postgresql-python-7.2.3-5.73.i386.rpm a65ed55398c08dfd9ef2cc48dcf620fb 7.3/en/os/i386/postgresql-server-7.2.3-5.73.i386.rpm 822f7424c23e9597755ad78dd4b2cedf 7.3/en/os/i386/postgresql-tcl-7.2.3-5.73.i386.rpm 9d632c76040305e701eb925656fd512e 7.3/en/os/i386/postgresql-test-7.2.3-5.73.i386.rpm 9dfa1a633958e1148b33f3122ed9a943 7.3/en/os/i386/postgresql-tk-7.2.3-5.73.i386.rpm 116fabd54ec3a3235ec8bb9946991001 8.0/en/os/SRPMS/postgresql-7.2.3-5.80.src.rpm fa4bc52fd3733243874959805f23790f 8.0/en/os/i386/postgresql-7.2.3-5.80.i386.rpm c2616bfa68911cb6072cee5da26ee4c7 8.0/en/os/i386/postgresql-contrib-7.2.3-5.80.i386.rpm 7b7183842f7e5bbe0bb3652410443ce1 8.0/en/os/i386/postgresql-devel-7.2.3-5.80.i386.rpm a03b33fa750a9548bfc7050863b64ebe 8.0/en/os/i386/postgresql-docs-7.2.3-5.80.i386.rpm 06f18f7d31287f6731aea08593624866 8.0/en/os/i386/postgresql-jdbc-7.2.3-5.80.i386.rpm ebd03dbfc757b629dac9bb017d918ef4 8.0/en/os/i386/postgresql-libs-7.2.3-5.80.i386.rpm e2511b0ebbcecc1580d5585fe53603f6 8.0/en/os/i386/postgresql-odbc-7.2.3-5.80.i386.rpm e07c50d8f035340cd9db90c77179b238 8.0/en/os/i386/postgresql-perl-7.2.3-5.80.i386.rpm 8527468481312aeaf2b4ea3a5a5731a1 8.0/en/os/i386/postgresql-python-7.2.3-5.80.i386.rpm f5a061d396f96898aecc2570a1703cfa 8.0/en/os/i386/postgresql-server-7.2.3-5.80.i386.rpm 259de5a30643984be397b7d0d2ad66f4 8.0/en/os/i386/postgresql-tcl-7.2.3-5.80.i386.rpm 32eebb139b6dca1cc4ae562fb3d608f3 8.0/en/os/i386/postgresql-test-7.2.3-5.80.i386.rpm 8bd5bb78a954eac4ee0c0c7c98a79dde 8.0/en/os/i386/postgresql-tk-7.2.3-5.80.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum <filename> 7. References: http://www3.ca.postgresql.org/users-lounge/docs/7.3/postgres/release-7-2-3.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0972 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1397 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1398 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1402 8. Contact: The Red Hat security contact is <security@redhat.com>. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPiVKcCh9+71yA2DNAQGlvQQAkTbGCqo5i3Ee/LPMrAaCsxZCSARnjrhe zmXxH9HPAoXVrb7XLjF70Hcx56j6iEkAEN6lBsgThNemFuMx6jAN0vAoJOdD/Bzc E4re/pcWvaddASQgaqpWAxI6T8sJIkEeDh1ytHtnB6ER0/1gPwEqy6fYBLsZ0K69 z407Bx1+Hdo= =cA3s -----END PGP SIGNATURE-----