mod_auth_pgsql security update

2006-01-06T08:44:52
ID CESA-2006:0164
Type centos
Reporter CentOS Project
Modified 2006-01-06T13:25:25

Description

CentOS Errata and Security Advisory CESA-2006:0164

The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database.

Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue.

Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database.

All users of mod_auth_pgsql should upgrade to these updated packages, which contain a backported patch to resolve this issue.

This issue does not affect the mod_auth_pgsql package supplied with Red Hat Enterprise Linux 2.1.

Red Hat would like to thank iDefense for reporting this issue.

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2006-January/024584.html http://lists.centos.org/pipermail/centos-announce/2006-January/024585.html http://lists.centos.org/pipermail/centos-announce/2006-January/024586.html http://lists.centos.org/pipermail/centos-announce/2006-January/024587.html http://lists.centos.org/pipermail/centos-announce/2006-January/024588.html http://lists.centos.org/pipermail/centos-announce/2006-January/024589.html http://lists.centos.org/pipermail/centos-announce/2006-January/024590.html http://lists.centos.org/pipermail/centos-announce/2006-January/024591.html http://lists.centos.org/pipermail/centos-announce/2006-January/024592.html

Affected packages: mod_auth_pgsql

Upstream details at: https://rhn.redhat.com/errata/RHSA-2006-0164.html