Updated postgresql packages that fix multiple security issues are nowavailable for Red Hat Satellite 5.7.Red Hat Product Security has rated this update as having Moderate securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

PostgreSQL is an advanced object-relational database management system(DBMS).An information leak flaw was found in the way the PostgreSQL databaseserver handled certain error messages. An authenticated database user couldpossibly obtain the results of a query they did not have privileges toexecute by observing the constraint violation error messages produced whenthe query was executed. (CVE-2014-8161)A buffer overflow flaw was found in the way PostgreSQL handled certainnumeric formatting. An authenticated database user could use a speciallycrafted timestamp formatting template to cause PostgreSQL to crash or,under certain conditions, execute arbitrary code with the permissions ofthe user running PostgreSQL. (CVE-2015-0241)A stack-buffer overflow flaw was found in PostgreSQL’s pgcrypto module.An authenticated database user could use this flaw to cause PostgreSQL tocrash or, potentially, execute arbitrary code with the permissions of theuser running PostgreSQL. (CVE-2015-0243)A flaw was found in the way PostgreSQL handled certain errors that weregenerated during protocol synchronization. An authenticated database usercould use this flaw to inject queries into an existing connection.(CVE-2015-0244)Red Hat would like to thank the PostgreSQL project for reporting theseissues. Upstream acknowledges Stephen Frost as the original reporter ofCVE-2014-8161; Andres Freund, Peter Geoghegan, Bernd Helmle, and Noah Mischas the original reporters of CVE-2015-0241; Marko Tiikkaja as the originalreporter of CVE-2015-0243; and Emil Lenngren as the original reporter ofCVE-2015-0244.All PostgreSQL users are advised to upgrade to these updated packages,which contain backported patches to correct these issues. If the postgresqlservice is running, it will be automatically restarted after installingthis update.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258Red Hat Satellite (v. 5.7 for RHEL 6)

SRPMS:
postgresql92-postgresql-9.2.10-2.el6.src.rpm
    MD5: deb7cca1fb1c00ce49b8e6bcc394178bSHA-256: 6ef205aee9bd5d06e3f9e83b5116f6f4f1b4f3afc5b528de70efcbe71c75dc02
 
s390x:
postgresql92-postgresql-9.2.10-2.el6.s390x.rpm
    MD5: 9d3586d5a2672724deea0ee348c4716fSHA-256: fdb1b0736648b5903e9178bdbab206145538fbbc5ccd6d2aff8532284e9a07da
postgresql92-postgresql-contrib-9.2.10-2.el6.s390x.rpm
    MD5: 6c5bdc09756e43df3fe37a19e6354835SHA-256: a95e23c553fad3afd038a0fbfa2339c0ab18a27413a688c087e79a7927856450
postgresql92-postgresql-libs-9.2.10-2.el6.s390x.rpm
    MD5: 219fd32a56f04c04c71f20d9f3aabeb2SHA-256: 3326804f23702e1f171c8534afd9c5e31cd13a6799b62f8132761dd78d81dedc
postgresql92-postgresql-pltcl-9.2.10-2.el6.s390x.rpm
    MD5: 2978b5cc11c6ad5b897972af7fe54ac2SHA-256: 37cef9da7d7d5513c7b6dbce7d8f9f6a328c28556520446aaabe04e30f2598b5
postgresql92-postgresql-server-9.2.10-2.el6.s390x.rpm
    MD5: 6b9562d98099bc9185a3a31408339cb6SHA-256: 5cd4747da36a52828eabf7577e50c912c57ead16d1fdd9f575f8b8c3d8b4074c
postgresql92-postgresql-upgrade-9.2.10-2.el6.s390x.rpm
    MD5: 25a3eaeaef3a8344640617b6ba1eadf5SHA-256: c127b4328987c8e50aa32b63f54ce50b9dcc81bf55cd688a3e2e12c3d1ebaa5b
 
x86_64:
postgresql92-postgresql-9.2.10-2.el6.x86_64.rpm
    MD5: 7ea2878ca9f1626c5ff48c061417ad2bSHA-256: 96113cb23ec05c48516f28f8e52a319ad5f136605cb82fe3212757f4d3dd13e7
postgresql92-postgresql-contrib-9.2.10-2.el6.x86_64.rpm
    MD5: bcf490218decb35ee43f2790ead15d72SHA-256: e2cf3eb3c8547a01440fb7f12a7467180c5befda8231234e6be6441da17fc905
postgresql92-postgresql-libs-9.2.10-2.el6.x86_64.rpm
    MD5: 77aeab7eee4eabd95c893d31a6f47fb7SHA-256: 8569bd0768b4d124b4cb1c12cbe375954ca72e2a24a8f52d417f23466d1a2846
postgresql92-postgresql-pltcl-9.2.10-2.el6.x86_64.rpm
    MD5: 2efa8420a27dc6351294ef7ab5e9bf71SHA-256: e9db27a0d9165e83bef5e473c39db07fcf22df9763ecaaab78782760b69d0709
postgresql92-postgresql-server-9.2.10-2.el6.x86_64.rpm
    MD5: bab44f21288fb1e219d906bf4e4faf15SHA-256: 9384bb742e32818ebd39c6fd6b01a3fa6f946fc775fff1ffb820787acf10d5a4
postgresql92-postgresql-upgrade-9.2.10-2.el6.x86_64.rpm
    MD5: 2b71cd7fd0323f1f21c220effedbf99bSHA-256: 0a49974b0e9f2cc66f0d53973b849e54b9fbdaa4608fa0da3b6d70076726177f
 
(The unlinked packages above are only available from the Red Hat Network)
1182043 – CVE-2014-8161 postgresql: information leak through constraint violation errors1188684 – CVE-2015-0241 postgresql: buffer overflow in the to_char() function1188689 – CVE-2015-0243 postgresql: buffer overflow flaws in contrib/pgcrypto1188694 – CVE-2015-0244 postgresql: loss of frontend/backend protocol synchronization after an error

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply