Friday, April 5, 2013
Critical updates for PostgreSQL
Update 9.2.4, 9.1.9 i.0.13 closes very serious vulnerability in the database, so that all users are advised to upgrade immediately, especially as they warned in advance about the imminent release of the update, and was even temporarily denied access to the project repository. While access to the repository has been closed, cloud hosting provider Heroku, and some others were updated PostgreSQL urgently before the official update.
Members 8.4 and earlier versions are not affected by the vulnerability of the most dangerous, but they also released a new update 04/08/17, closing minor bugs (see below).
Published as a brief description of the vulnerability CVE-2013-1899, which allows using a remote connection request to the server to damage or destroy the data on the server. Especially dangerous is for the DBMS, which are placed in an open cloud. Japanese researchers have discovered the vulnerability of NTT Open Source Software Center.
Exploits have not yet appeared in the public domain, but in the case of their occurrence will be possible to easily disable servers with PostgreSQL, provides advanced and Superuser privileges to execute arbitrary code.
In addition to this, the update closes two less serious vulnerabilities CVE-2013-1900 and CVE-2013-1901. In the first case it is the weakness of the random number generator contrib / pgcrypto, in the second case - the possibility of a user without privileges to intervene in the ongoing process of the backup.
Finally, update PostgreSQL closes two vulnerabilities with graphical installers for Linux and Mac OS X, associated with unsafe passing Superuser password in the script and predictable naming files in / tmp.