PostgreSQL 2009-12-14 Security Update

Posted on 2009-12-14

The PostgreSQL Project today released minor versions updating all active branches of the PostgreSQL object-relational database system, including versions 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23, and 7.4.27. This release fixes one moderate-risk and one low-risk security issue: an SSL authentication issue, and a privilege escalation issue with expression indexes. All PostgreSQL database administrators are urged to update your version of PostgreSQL at the earliest opportunity.

There are also 48 other bug fixes in this release, many of which apply only to version 8.4, and a few of which are specifically for Windows. While these are generally fixes for minor issues, among the changes are:

  • Prevent hash index corruption
  • Update time zone data for 9 regions
  • Fix permissions-related startup issue on Windows
  • Prevent server restart if a VACUUM FULL is killed
  • Correct cache initialization startup bug

See the release notes for a full list of changes with details.

As with other minor releases, users are not required to dump and reload their database in order to apply this update release; you may simply shut down PostgreSQL and update its binaries. However, users who have hash indexes will want to run REINDEX after updating in order to repair any existing index damage. Users skipping more than one update may need to check the release notes for extra, post-update steps.

The PostgreSQL Global Development Group will stop releasing updates for PostgreSQL versions 7.4 and 8.0 after June of 2010. We urge users of those versions to start planning to upgrade now.

This post has been migrated from a previous version of the PostgreSQL website. We apologise for any formatting issues caused by the migration.