Developers of PostgreSQL remedy vulnerabilities
The developers of PostgreSQL have published updated versions of their database software to remedy several vulnerabilities. Among other things, attackers were able to exploit the flaws to escalate their privileges or cause the database to crash. The developers describe the bugs as critical. They have also announced that they will be discontinuing support for outdated versions.
Updates are now available for branches 7.3, 7.4, 8.0, 8.1 and 8.2 of PostgreSQL. These updates remedy a vulnerability in the creation of an index of results of user-defined functions, which allowed users to escalate their rights. Some of the functions ran with superuser privileges and also allowed the commands SET ROLE and SET SESSION AUTHORIZATION to be executed. Users may also have been able to escalate their access privileges in the DBLink add-on module. In addition, attackers were able to conduct denial-of-service attacks by means of regular expressions in SQL requests that cause the database to enter infinite loops, consume all available memory, or crash.
In the release notes, the developers list a number of other changes in the new versions, most of which are essentially of a cosmetic nature. Version 7.3.21 will be the last update for that development branch, while 8.0.15 and 8.1.11 are the last versions of those branches for which the community will provide windows binaries. The developers recommend that administrators using these branches switch to current branches of the database. The developers also recommend that the updates be installed as soon as possible.
- 2008-01-07 Cumulative Security Update Release, security advisory from the developers of PostgreSQL
- Download current PostegreSQL packets
- Release notes for the new versions