PostgreSQL Update Releases Serious Vulnerability

    A security update has been released for all current versions of PostgreSQL, including 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update fixes a highly dangerous vulnerability in versions 9.0 and later. All users are highly recommended to upgrade.

    The main security problem fixed in this version, CVE-2013-1899 , allows an attacker to damage or destroy some files in the server directory by sending a request to connect to the database with a name starting with "-". Anyone who has access to the PostgreSQL port can send such a request.

    Two less serious vulnerabilities have also been fixed in this version. CVE-2013-1900 , in which the generated random numbers in contrib / pgcrypto functions can be easily predicted by a user of another database.CVE-2013-1901 , in which an unprivileged user could influence the process of creating database backups.

    Updates have already been released for Debian Wheezy, Ubuntu.

    News on the PostgreSQL website: http://www.postgresql.org/about/news/1456/
    News on Linux.Org.Ru: http://www.linux.org.ru/news/security/9032736

    Also popular now: