PostgreSQL security updates released
The PostgreSQL Global Development Group has released security updates for all currently supported versions, (9.1.x, 9.0.x, 8.4.x and 8.3.x) of the open source relational database system. The updates include versions 9.1.4, 9.0.8, 8.4.12 and 8.3.19 of PostgreSQL which close two security holes and include 42 other bug fixes.
Users using the crypt function included in the pgcrypto module should update their installations immediately as the update fixes incorrect password transformations which can lead to shorter than desired passwords that are easier to attack. After updating, users will have to regenerate all passwords containing the byte value 0x80
to fix encrypted passwords that were truncated by the faulty code.
The other security issue that has been corrected is a bug in a call handler that could lead to a server crash when applying SECURITY DEFINER and SET attributes. This can be exploited to create Denial of Service (DoS) situations.
The updates for the 9.1.x, 9.0.x, 8.4.x and 8.3.x branches of PostgreSQL can be downloaded from the project's download site. Binary packages are available for Linux, FreeBSD, Solaris, Windows and Mac OS X. The source code of the project is made available under the terms of the PostgreSQL Licence, a permissive open source licence similar in character to the BSD or MIT licences.
(fab)