Note: This is an archival copy of Security Sun Alert 258808 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020455.1.
6817870, 6817871, 6818380
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
Security vulnerability in PostgreSQL shipped with Solaris may allow a Denial of Service (DoS):
Security vulnerability affecting the PostgreSQL software shipped with Solaris may allow an authenticated PostgreSQL users to cause a Denial of Service (DoS) to the PostgreSQL server (due to stack consumption).
This issue is described in the following documents:
Official PostgreSQL announcement at:
2. Contributing Factors
This issue can occur in the following releases:
Note 2: A user exploiting this vulnerability must have an account on the PostgreSQL server.
Note 3: This issue affects PostgreSQL versions 7.4.x prior to 7.4.25, 8.0.x prior to 8.0.21, 8.1.x prior to 8.1.17, 8.2.x prior to 8.2.13 and 8.3.x prior to 8.3.7.
Note 4: PostgreSQL 8.1 (SUNWpostgr), 8.2 (packages beginning with SUNWpostgr-82) and 8.3 (packages beginning with SUNWpostgr-83) can be installed at the same time and are separately impacted by this vulnerability.
To determine if a version of PostgreSQL is installed, the following command can be used:
$ pkginfo | grep SUNWpostgrTo determine if PostgreSQL is running on a server, the following command can be run as the user "postgres" (or the "root" user):
for PostgreSQL 8.1:
$ pg_ctl status -D /var/lib/pgsql/data/for PostgreSQL 8.2:
$ /usr/postgres/8.2/bin/pg_ctl status -D /var/postgres/8.2/data/for PostgreSQL 8.3:
$ /usr/postgres/8.3/bin/pg_ctl status -D /var/postgres/8.3/data/or (where applicable):
$ svcs -a | grep postgresql3. Symptoms
If the described issue has been exploited to cause a Denial of Service (DoS), system response may be slow and the postgres(1) process may crash, potentially leaving a core file.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
For more information on Security Sun Alerts, see 1009886.1.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
13-Jul-2009: Updated Contributing Factors and Resolution sections. Resolved.
This solution has no attachment