PostgreSQL developers fix vulnerabilities
PostgreSQL 7 and 8 users are advised to update their installations as the development team has released new versions which fix a vulnerability classed as moderately severe in PL/perl and PL/tcl. CVE-2010-1169, CVE-2010-1447 and CVE-2010-1170 reports detail the vulnerabilities involved. The changes include the removal of the
Safe.pm module, which acted as a kind of sandbox for Perl programs. Instead, PostgreSQL code now includes a hard-wired list of permissible Perl operators. According to the release notes, one side effect of this is that stored procedures written in Perl now compile more quickly.
PostgreSQL versions 8.0 to 8.4 and 7.4 are affected by the update. Installation packages and source code are available online. 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25 and 7.4.29 are now the current versions. No further updates for 8.0 and 7.4 will be released after June 2010, so the development team is advising users to move to more recent versions. A bug-fix successor to the recently released beta version of 9.0 is expected to be released in a few days time.
PostgreSQL is an open-source Object-Relational DBMS supporting almost all SQL constructs. The PostgreSQL development team includes employees of Red Hat, F-Secure and EnterpriseDB. PostgreSQL is released under the PostgreSQL License, a liberal Open Source license, similar to the BSD or MIT licenses.
- PostgreSQL 9.0 beta has replication built in, a report from The H.