(RHSA-2009:1461) Important: Red Hat Application Stack v2.4 security and enhancement update

Red Hat Application Stack v2.4 is an integrated open source application
stack, that includes Red Hat Enterprise Linux 5 and JBoss Enterprise
Application Platform (EAP). JBoss EAP is provided through the JBoss EAP
channels on the Red Hat Network.

PostgreSQL was updated to version 8.2.14, fixing the following security
issues:

A flaw was found in the way PostgreSQL handles LDAP-based authentication.
If PostgreSQL was configured to use LDAP authentication and the LDAP server
was configured to allow anonymous binds, anyone able to connect to a given
database could use this flaw to log in as any database user, including a
PostgreSQL superuser, without supplying a password. (CVE-2009-3231)

It was discovered that the upstream patch for CVE-2007-6600 included in the
Red Hat Security Advisory RHSA-2008:0040 did not include protection against
misuse of the RESET ROLE and RESET SESSION AUTHORIZATION commands. An
authenticated user could use this flaw to install malicious code that would
later execute with superuser privileges. (CVE-2009-3230)

A flaw was found in the way PostgreSQL handles external plug-ins. This flaw
could allow remote, authenticated users without superuser privileges to
crash the back-end server by using the LOAD command on libraries in
“/var/lib/pgsql/plugins/” that have already been loaded, causing a
temporary denial of service during crash recovery. (CVE-2009-3229)

MySQL was updated to version 5.0.84, fixing the following security issues:

An insufficient HTML entities quoting flaw was found in the mysql command
line client’s HTML output mode. If an attacker was able to inject arbitrary
HTML tags into data stored in a MySQL database, which was later retrieved
using the mysql command line client and its HTML output mode, they could
perform a cross-site scripting (XSS) attack against victims viewing the
HTML output in a web browser. (CVE-2008-4456)

Multiple format string flaws were found in the way the MySQL server logs
user commands when creating and deleting databases. A remote, authenticated
attacker with permissions to CREATE and DROP databases could use these
flaws to formulate a specifically-crafted SQL command that would cause a
temporary denial of service (open connections to mysqld are terminated).
(CVE-2009-2446)

Note: To exploit the CVE-2009-2446 flaws, the general query log (the mysqld
“–log” command line option or the “log” option in “/etc/my.cnf”) must be
enabled. This logging is not enabled by default.

PHP was updated to version 5.2.10, fixing the following security issue:

An insufficient input validation flaw was discovered in the PHP
exif_read_data() function, used to read Exchangeable image file format
(Exif) metadata from images. An attacker could create a specially-crafted
image that could cause the PHP interpreter to crash or disclose portions of
its memory while reading the Exif metadata from the image. (CVE-2009-2687)

Apache httpd has been updated with backported patches to correct the
following security issues:

A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp
module. A malicious FTP server to which requests are being proxied could
use this flaw to crash an httpd child process via a malformed reply to the
EPSV or PASV commands, resulting in a limited denial of service.
(CVE-2009-3094)

A second flaw was found in the Apache mod_proxy_ftp module. In a reverse
proxy configuration, a remote attacker could use this flaw to bypass
intended access restrictions by creating a carefully-crafted HTTP
Authorization header, allowing the attacker to send arbitrary commands to
the FTP server. (CVE-2009-3095)

Also, the following packages have been updated:

• postgresql-jdbc to 8.2.510
• php-pear to 1.8.1
• perl-DBI to 1.609
• perl-DBD-MySQL to 4.012

All users should upgrade to these updated packages, which resolve these
issues. Users must restart the individual services, including postgresql,
mysqld, and httpd, for this update to take effect.