Security updates for PostgreSQL
A flaw in all versions of PostgreSQL since 7.4 allows users to modify functions written in a procedural language such as Perl or Tcl at run-time. Corrected binaries and source code packages for PostgreSQL 9.0.1 became available at the project's web site earlier today.
The bug can be exploited by users who are permitted to use procedural languages if a function includes the SECURITY DEFINER
attribute. It enables users to escalate their access rights. However, the developers point out that having the API for a procedural language installed doesn't present a security risk in itself.
The bug fixes will be the last corrections made to PostgreSQL versions 7.4 and 8.0, and support of 8.1 will be discontinued before the end of the year. The updates fix the hole for Tcl and Perl, but no information about Python has so far become available. An update for PHP is to follow in the near future. According to the release notes, the new packages also contain other corrections and improvements. The developers recommend that all users switch to a new version.
See also:
- PostgreSQL 9.0 brings replication and more, a report from The H.
- First alpha for PostgreSQL 9.1 appears, a report from The H.
- End of support for old PostgreSQL versions, a report from The H.
(crve)