PostgreSQL developers fix weakened passwords
The PostgreSQL developers have released minor version updates for all active branches of their open source SQL database. Versions 9.1.1, 9.0.5, 8.4.9, 8.3.16 and 8.2.22 of PostgreSQL close a security hole which resulted in weakened passwords, and address a number of bugs found in previous versions including crashing and data-corruption issues.
According to the developers, the updates fix a vulnerability in the Blowfish encryption code used by contrib/pg_crypto that could cause encrypted passwords to be "weaker than they should be"; the same bug was recently diagnosed and fixed in PHP 5.3.7 (CVE-2011-2483).
Other changes include SSL error handling improvements, fixes for SSPI login, VACUUM, and a memory leak at the end of a GiST index scan. SELECT FOR UPDATE/SHARE on sequences has been disabled as it "doesn't work as expected and can lead to failures". A work-around for an optimisation bug in version 4.6 of the GNU Compiler Collection (GCC) that can break the replay of write-ahead logging (WAL) is also included. All users are "strongly urged" to install the updates.
More details about the updates, including full lists of changes, can be found in the announcement news post, and in the 8.2.22, 8.3.16, 8.4.9, 9.0.5 and 9.1.1 release notes. PostgreSQL source code and executable versions are available to download from the project's site. The source code is made available under the terms of the PostgreSQL Licence, described as a liberal open source licence, similar to the BSD or MIT licences.
(crve)