In association with heise online

05 October 2010, 17:34

Security updates for PostgreSQL

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

PostgreSQL Logo A flaw in all versions of PostgreSQL since 7.4 allows users to modify functions written in a procedural language such as Perl or Tcl at run-time. Corrected binaries and source code packages for PostgreSQL 9.0.1 became available at the project's web site earlier today.

The bug can be exploited by users who are permitted to use procedural languages if a function includes the SECURITY DEFINER attribute. It enables users to escalate their access rights. However, the developers point out that having the API for a procedural language installed doesn't present a security risk in itself.

The bug fixes will be the last corrections made to PostgreSQL versions 7.4 and 8.0, and support of 8.1 will be discontinued before the end of the year. The updates fix the hole for Tcl and Perl, but no information about Python has so far become available. An update for PHP is to follow in the near future. According to the release notes, the new packages also contain other corrections and improvements. The developers recommend that all users switch to a new version.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit