Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 157366 - CAN-2005-1409, CAN-2005-1410 Multiple postgresql issues
Summary: CAN-2005-1409, CAN-2005-1410 Multiple postgresql issues
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: postgresql
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
Whiteboard: LEGACY, rh90, 1, 2
: 157367 157368 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2005-05-10 22:39 UTC by Marc Deslauriers
Modified: 2007-04-18 17:25 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-02-28 00:53:55 UTC

Attachments (Terms of Use)

Description Marc Deslauriers 2005-05-10 22:39:34 UTC
+++ This bug was initially created as a clone of Bug #156726 +++

Two serious security errors have been found in PostgreSQL 7.3 and newer
releases.  These errors at least allow an unprivileged database user to
crash the backend process, and may make it possible for an unprivileged
user to gain the privileges of a database superuser.

Comment 1 Marc Deslauriers 2006-02-11 22:29:35 UTC
*** Bug 157367 has been marked as a duplicate of this bug. ***

Comment 2 Marc Deslauriers 2006-02-11 22:29:48 UTC
*** Bug 157368 has been marked as a duplicate of this bug. ***

Comment 3 Marc Deslauriers 2006-02-12 04:55:12 UTC
Hash: SHA1

Here are updated postgresql packages to QA for rh9, fc1 and fc2.
rh73 and fc3 are not affected.

a7b65953b98935e35b88f299744225a9b2aea0f9  9/postgresql-7.3.10-0.90.1.legacy.src.rpm
0adca4edf71b2380fff90afeaeea08e5349ae31c  1/postgresql-7.3.10-1.1.legacy.src.rpm
f7e2dff75d37e96ed559219db5c02b548e06a9e4  2/postgresql-7.4.8-1.FC2.1.src.rpm

Version: GnuPG v1.4.1 (GNU/Linux)


Comment 4 Pekka Savola 2006-02-12 19:30:40 UTC
Hash: SHA1

QA w/
 - source integrity OK
 - spec file changes minimal (either to previous, or compared to RHEL)

 - FC1 and FC2 were updated to match RHEL3 and RHEL4, respectively, so it's
   OK.  Was there a specific reason not to update RHL9 to match RHEL3?
 - you forgot to add "legacy" in the FC2 package name

In any case, the first issue is not blocking and the second can be fixed at
build time.


a7b65953b98935e35b88f299744225a9b2aea0f9  postgresql-7.3.10-0.90.1.legacy.src.rpm
0adca4edf71b2380fff90afeaeea08e5349ae31c  postgresql-7.3.10-1.1.legacy.src.rpm
f7e2dff75d37e96ed559219db5c02b548e06a9e4  postgresql-7.4.8-1.FC2.1.src.rpm
Version: GnuPG v1.0.7 (GNU/Linux)


Comment 5 Marc Deslauriers 2006-02-12 20:55:26 UTC
Thanks for the QA.

The RHL9 postgres package is substantially different from the RHEL and FC
packages. It uses a different JDBC driver, among other things. I'm afraid
changing it to the RHEL package will break things.

Comment 6 Marc Deslauriers 2006-02-13 00:36:42 UTC
Packages were pushed to updates-testing

Comment 7 Pekka Savola 2006-02-14 06:31:00 UTC
New policy: automatic accept after two weeks if no negative feedback.

Comment 8 Tres Seaver 2006-02-15 04:14:26 UTC
Hash: SHA1


System:  Fedora Core 1

Packages tested:

 - postgresql
 - postgresql-devel
 - postgresql-libs
 - postgresql-server

 1. Verify the GPG signature and the SHA1 checksum of the package.

    $ cd /var/cache/yum/updates-testing/packages
    $ sha1sum *.rpm
    de59e42459e24cd8846fbd6d765bc892d621a0dc  \
    39a6163dffc299ba088f8f71c0393fca08648ae9  \
    421fc09afacbeb0e6773a8c2c1dd2ebb45406fd9  \
    71c2abb0a89a19fa88eaa3a22048062ea4d938f3  \

    These checksums match those published in the notification sent to
    the legacy list.

    $ rpm --checksig postgresql-*.rpm
    postgresql-7.3.10-1.1.legacy.i386.rpm: \
       (sha1) dsa sha1 md5 gpg OK
    postgresql-devel-7.3.10-1.1.legacy.i386.rpm: \
       (sha1) dsa sha1 md5 gpg OK
    postgresql-libs-7.3.10-1.1.legacy.i386.rpm: \
       (sha1) dsa sha1 md5 gpg OK
    postgresql-server-7.3.10-1.1.legacy.i386.rpm: \
       (sha1) dsa sha1 md5 gpg OK

 2. Could you install or update the package without problems?

    The packages listed installed cleanly via yum from updates-testing.

 3. Could you use the package, as appropriate for the package,
    without problems?

   Yes.  The timesheet application I use on this host, which is backed
   against postgresql, continued to work after the update.
Version: GnuPG v1.4.1 (GNU/Linux)


Comment 9 Pekka Savola 2006-02-15 07:09:08 UTC
Great!  Thanks for the test!

Comment 10 David Eisenstein 2006-02-15 07:18:16 UTC
Thanks, Tres, for tesing!  :)

Comment 11 Pekka Savola 2006-02-15 17:26:33 UTC
Sigh, this just appeared today: CVE-2006-0553.  Do we respin now or wait until
later (e.g., after RHEL has released an update)?

Comment 12 Tres Seaver 2006-02-15 17:45:46 UTC
The writeup[1] says:

  PostgreSQL minor version 8.1.3 has been released, containing a patch for a
  serious security issue present in the 8.1 branch.  All users of 8.1 are urged
  to upgrade at the earliest opportunity.  

  Minor versions 8.0.7, 7.4.12, and 7.3.14 are being released at the same time.
  These  contain only minor bug fixes to the 8.0, 7.4 and 7.3 versions and can
  be upgraded on a more planned schedule, unless of course you are encountering
  one of the bugs described.

  The security issue in 8.1.x allows an authenticated database user to escalate
  his ROLE privileges by exploiting knowledge of the backend protocol.  While
  there are no known exploits in the wild for this, users are urged not to wait
  until they encounter one.

  8.1.3 also contains a number of other bug fixes, most of them for very
  specific (rare) database configurations and schema issues, but including a
  number of crash fixes.   Notable also is a fix to the TSearch2 GiST index
  generation code which will significantly speed up creation of TSearch2
  indexes.   See the release notes for more detail.

I would say that we can defer picking up those fixes, as no legacy release is
using 8.1.x.


Comment 13 Pekka Savola 2006-02-27 06:40:43 UTC
Timeout over.

Comment 14 Marc Deslauriers 2006-02-28 00:53:55 UTC
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.