=====================================================================

Red Hat Security Advisory



Synopsis: Moderate: postgresql security and bug fix update

Advisory ID: RHSA-2016:2606-02

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2606.html

Issue date: 2016-11-03

CVE Names: CVE-2016-5423 CVE-2016-5424

=====================================================================



1. Summary:



An update for postgresql is now available for Red Hat Enterprise Linux 7.



Red Hat Product Security has rated this update as having a security impact

of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available for each vulnerability from

the CVE link(s) in the References section.



2. Relevant releases/architectures:



Red Hat Enterprise Linux Client (v. 7) - x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le,

s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64



3. Description:



PostgreSQL is an advanced object-relational database management system

(DBMS).



The following packages have been upgraded to a newer upstream version:

postgresql (9.2.18).



Security Fix(es):



* A flaw was found in the way PostgreSQL server handled certain SQL

statements containing CASE/WHEN commands. A remote, authenticated attacker

could use a specially crafted SQL statement to cause PostgreSQL to crash or

disclose a few bytes of server memory or possibly execute arbitrary code.

(CVE-2016-5423)



* A flaw was found in the way PostgreSQL client programs handled database

and role names containing newlines, carriage returns, double quotes, or

backslashes. By crafting such an object name, roles with the CREATEDB or

CREATEROLE option could escalate their privileges to superuser when a

superuser next executes maintenance with a vulnerable client program.

(CVE-2016-5424)



Red Hat would like to thank the PostgreSQL project for reporting these

issues. Upstream acknowledges Heikki Linnakangas as the original reporter

of CVE-2016-5423; and Nathan Bossart as the original reporter of

CVE-2016-5424.



Additional Changes:



For detailed information on changes in this release, see the Red Hat

Enterprise Linux 7.3 Release Notes linked from the References section.



4. Solution:



For details on how to apply this update, which includes the changes

described in this advisory, refer to:



https://access.redhat.com/articles/11258



If the postgresql service is running, it will be automatically restarted

after installing this update.



5. Bugs fixed (https://bugzilla.redhat.com/):



1122143 - Postgresql won't start if user postgres is locked

(/sbin/nologin).

1364001 - CVE-2016-5423 postgresql: CASE/WHEN with inlining can cause untrusted

pointer dereference

1364002 - CVE-2016-5424 postgresql: privilege escalation via crafted database

and role names



These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/



7. References:



https://access.redhat.com/security/cve/CVE-2016-5423

https://access.redhat.com/security/cve/CVE-2016-5424

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/index.html

https://www.postgresql.org/docs/9.2/static/release-9-2-18.html

https://www.postgresql.org/docs/9.2/static/release-9-2-17.html

https://www.postgresql.org/docs/9.2/static/release-9-2-16.html

https://www.postgresql.org/about/news/1688/



8. Contact:



The Red Hat security contact is <secalert@redhat.com>. More contact

details at https://access.redhat.com/security/team/contact/



Copyright 2016 Red Hat, Inc.

