In association with heise online

08 January 2008, 11:06

Developers of PostgreSQL remedy vulnerabilities

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of PostgreSQL have published updated versions of their database software to remedy several vulnerabilities. Among other things, attackers were able to exploit the flaws to escalate their privileges or cause the database to crash. The developers describe the bugs as critical. They have also announced that they will be discontinuing support for outdated versions.

Updates are now available for branches 7.3, 7.4, 8.0, 8.1 and 8.2 of PostgreSQL. These updates remedy a vulnerability in the creation of an index of results of user-defined functions, which allowed users to escalate their rights. Some of the functions ran with superuser privileges and also allowed the commands SET ROLE and SET SESSION AUTHORIZATION to be executed. Users may also have been able to escalate their access privileges in the DBLink add-on module. In addition, attackers were able to conduct denial-of-service attacks by means of regular expressions in SQL requests that cause the database to enter infinite loops, consume all available memory, or crash.

In the release notes, the developers list a number of other changes in the new versions, most of which are essentially of a cosmetic nature. Version 7.3.21 will be the last update for that development branch, while 8.0.15 and 8.1.11 are the last versions of those branches for which the community will provide windows binaries. The developers recommend that administrators using these branches switch to current branches of the database. The developers also recommend that the updates be installed as soon as possible.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit