PostgreSQL updates close security holes
The PostgreSQL development team has published updates for all actively supported branches of its open source relational database to fix bugs and close security holes found in the previous releases.
Versions 9.1.3, 9.0.7, 8.4.11 and 8.3.18 correct a problem that prevented permission checks from being performed and a bug that may result in the successful verification of a spoofed SSL certificate. An input sanitisation error that could be used to execute code when loading a pg_dump file has also been fixed.
These vulnerabilities could be exploited by an attacker to bypass some security restrictions or conduct spoofing attacks and manipulate data. Versions up to and including 9.1.2, 9.0.6, 8.4.10 and 8.3.17 are affected; all users are advised to upgrade.
Further information about the updates, including a full list of fixes and changes, can be found in the 9.1.3, 9.0.7, 8.4.11 and 8.3.18 release notes. The new versions of PostgreSQL are available to download from the project's site. Source code for PostgreSQL is made available under the terms of the PostgreSQL License, described as "a liberal open source licence, similar to the BSD or MIT licences".
See also:
- Security Update 2012-02-27 released, a PostgreSQL advisory.
(crve)