New versions of PostgreSQL
The vendor of PostgreSQL has taken care of two holes that attackers can exploit to crash a system and possibly even to gain access to sensitive data. Both PostgreSQL 7 and 8 are affected. The problems have been remedied in 8.0.11, 7.4.16, and 7.3.13, but versions 8.2.2 and 8.1.7, also released as a remedy for the flaws, seem to have troubles of their own.
According to a posting on the PGSQL-announce mailing list, 8.2.2 and 8.1.7 have serious issues with variable-length datatypes when used with type constraints or expression indexes. The PGSQL developers advise admins to wait for new minor releases for their 8.2 and 8.1 versions, presumably 8.2.3 and 8.1.8, which are to be released within the next two days.
- CVE-2007-0555 and CVE-2007-0556 on PostgreSQL's security website
- Warning: WAIT before applying 8.1, 8.2 security releases!, posting from the PGSQL developers
(trk)