CentOS Errata and Security Advisory CESA-2006:0164
The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database.
Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue.
Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database.
All users of mod_auth_pgsql should upgrade to these updated packages, which contain a backported patch to resolve this issue.
This issue does not affect the mod_auth_pgsql package supplied with Red Hat Enterprise Linux 2.1.
Red Hat would like to thank iDefense for reporting this issue.
Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2006-January/024584.html http://lists.centos.org/pipermail/centos-announce/2006-January/024585.html http://lists.centos.org/pipermail/centos-announce/2006-January/024586.html http://lists.centos.org/pipermail/centos-announce/2006-January/024587.html http://lists.centos.org/pipermail/centos-announce/2006-January/024588.html http://lists.centos.org/pipermail/centos-announce/2006-January/024589.html http://lists.centos.org/pipermail/centos-announce/2006-January/024590.html http://lists.centos.org/pipermail/centos-announce/2006-January/024591.html http://lists.centos.org/pipermail/centos-announce/2006-January/024592.html
Affected packages: mod_auth_pgsql
Upstream details at: https://rhn.redhat.com/errata/RHSA-2006-0164.html