PostgreSQL Security Updates Released

June 5, 2012 By The Vigilant Application Owner

H Security – (International) PostgreSQL security updates released. The PostgreSQL Global Development Group released security updates for all currently supported versions, (9.1.x, 9.0.x, 8.4.x, and 8.3.x) of the open source relational database system. The updates include versions 9.1.4, 9.0.8, 8.4.12, and 8.3.19 of PostgreSQL, which close 2 security holes and include 42 other bug fixes. Users using the crypt function included in the pgcrypto module should update their installations immediately as the update fixes incorrect password transformations which can lead to shorter than desired passwords that are easier to attack. After updating, users will have to regenerate all passwords containing the byte value 0x80 to fix encrypted passwords that were truncated by the faulty code. The other security issue corrected involves a bug in a call handler that could lead to a server crash when applying SECURITY DEFINER and SET attributes. This can be exploited to create denial of service situations.