PostgreSQL releases critical security patches

Newsletter Subscription | Glossary | Contact Us

Home > All Categories > PostgreSQL > Announcements > PostgreSQL releases critical security patches

PostgreSQL releases critical security patches

Authored by:
Viewed: 327 times so far

Today the PostgreSQL Global Development Group is releasing updated versions which patch five security vulnerabilities. These releases update all current PostgreSQL versions, including 8.2, 8.1, 8.0, 7.4 and 7.3. They are considered CRITICAL and PostgreSQL DBAs and sysadmins should install the update as soon as they reasonably can. Our security team has made all efforts to make these patches backwards-compatible, and upgrading does not require converting your data files.

Vulnerable Systems:
* PostgreSQL version 8.2
* PostgreSQL version 8.1
* PostgreSQL version 8.0
* PostgreSQL version 7.4
* PostgreSQL version 7.3

Immune Systems:
* PostgreSQL version 8.2.6
* PostgreSQL version 8.1.11
* PostgreSQL version 8.0.15
* PostgreSQL version 7.4.19
* PostgreSQL version 7.3.21

There are five security fixes included in this release. None of these issues are known to have been exploited in the field; they were discovered through security analysis.

Index Functions Privilege Escalation (CVE-2007-6600): as a unique feature, PostgreSQL allows users to create indexes on the results of user-defined functions, known as "expression indexes". This provided two vulnerabilities to privilege escalation: (1) index functions were executed as the superuser and not the table owner during VACUUM and ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were permitted within index functions. Both of these holes have now been closed.

Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067, CVE-2007-4769): three separate issues in the regular expression libraries used by PostgreSQL allowed malicious users to initiate a denial-of-service by passing certain regular expressions in SQL queries. First, users could create infinite loops using some specific regular expressions. Second, certain complex regular expressions could consume excessive amounts of memory. Third, out-of-range backref numbers could be used to crash the backend. All of these issues have been patched.

DBLink Privilege Escalation (CVE-2007-6601): DBLink functions combined with local trust or ident authentication could be used by a malicious user to gain superuser privileges. This issue has been fixed, and does not affect users who have not installed DBLink (an optional module), or who are using password authentication for local access. This same problem was addressed in the previous release cycle (see CVE-2007-3278), but that patch failed to close all forms of the loophole.

Download and Install
PostgreSQL minor releases 8.2.6, 8.1.11, 8.0.15, 7.4.19 and 7.3.21 are available through our FTP mirror network:
Source Code: http://www.postgresql.org/ftp/source/
Binaries for some platforms: http://www.postgresql.org/ftp/binary/

If you need additional information on the included updates, it's available in our Release Notes (http://www.postgresql.org/docs/current/static/release.html). These upgrades can be copied directly over existing PostgreSQL binaries and do not require dump-and-reload for any system which has been updated in the last six months (older versions may require some specific post-update steps; see the release notes).

Click Here to View all the questions in Announcements category.

File Attachments