Steve Klabnik changelog.com/posts

Reminder: Upgrade your Postgres today!

Last week, I told you all about an incoming security patch for Postgres. Well, today, it’s here. Please check out this page and upgrade your Postgres. As the Postgres team says, ‘This is the first security issue of this magnitude since 2006.’

What's the issue?

As always, you can find the latest information about security patches via the CVE system. Here’s the one for this vulnerability, CVE-2013-1899.

There are three things that can happen with this vulnerability:

  • Denial of Service. Error messages can be appended to files in Postgres' data directory. This can fill up disks, or cause Postgres to crash.
  • Configuration Setting Privilege Escalation. If they have a legitimate login, and the username and database name are identical, then that user can set a config variable as the superuser.
  • Arbitrary Code Execution. The 'boss level' of vulnerabilities. If they can do both of the above things, and can save files outside of the data directory, then they can execute arbitrary C code.

Damn.

What versions are affected?

Versions 9.0, 9.1 and 9.2.

Where can I find more?

The Postgres team has a FAQ for this release, and here are the release announcements.

You can also see the commit that fixed the issue, with all the gory details.

Or, discuss on Hacker News.


Discussion

Sign in or Join to comment or subscribe

Player art
  0:00 / 0:00