MDKSA-2007:094

[ursula]

Mandriva Advisories
Package name postgresql
Date April 25th, 2007
Advisory ID MDKSA-2007:094
Affected versions CS3.0, 2007.0, CS4.0, 2007.1
Synopsis Updated postgresql packages fix vulnerability


Problem Description

A weakness in previous versions of PostgreSQL was found in the security
definer functions in which an authenticated but otherwise unprivileged
SQL user could use temporary objects to execute arbitrary code with
the privileges of the security-definer function.

IMPORTANT NOTICE FOR CORPORATE SERVER/DESKTOP 3.0 USERS:

In addition, packages for Corporate Server/Desktop 3.0 have been
updated to the latest PostgreSQL 7.4.17 which requires some attention
when upgrading. To take advantage of the new version, and to ensure
data coherency, we strongly recommend dumping the old databases,
re-initializing the database, and then reloading the dumped data.
This can be accomplished as root using:

# service postgresql start
# su - postgres
$ pg_dumpall >/tmp/database.dump
$ exit
# service postgresql stop
# mv /var/lib/pgsql /var/lib/pgsql.bk
# urpmi.update -a && urpmi --auto-select
# service postgresql start
# service postgresql restart
# su - postgres
$ /usr/bin/psql -d template1 -f /tmp/database.dump
$ exit

Only Corporate Server/Desktop 3.0 requires the dump/reload steps; the
other Mandriva Linux platforms do not require this step. Notice that
the double-restart of the postgresql service is in fact required.

Updated packages have been patched to correct this issue.