05 Apr 2013, 22:27

Postgres > Major security issue > PostgreSQL 9.2.4, 9.1.9, 9.0.13 and 8.4.17 released

For those using Postgres, a minor release was made yesterday fixing some major security issues ; everyone is strongly recommended to upgrade its postgres server immediatly ; especially if your server is accessible from outside of your network ; if you are hosted internally, it's safe to upgrade but not as urgent.

Quoting the announce :

A major security issue fixed in this release, CVE-2013-1899, makes it possible for a connection request containing a database name that begins with "-" to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request. This issue was discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center.

Two lesser security fixes are also included in this release: CVE-2013-1900, wherein random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess, and CVE-2013-1901, which mistakenly allows an unprivileged user to run commands that could interfere with in-progress backups. Finally, this release fixes two security issues with the graphical installers for Linux and Mac OS X: insecure passing of superuser passwords to a script, CVE-2013-1903 and the use of predictable filenames in /tmp CVE-2013-1902. Marko Kreen, Noah Misch and Stefan Kaltenbrunner reported these issues, respectively.

I will also remember that the 8.3 version of Postgres is no longer maintained nor supported from end February 2013 and current 8.4 is maintained/supported up to July 2014. More information on the Versioning policy page.

Source :