Skip site navigation (1) Skip section navigation (2)

PostgreSQL Security Update for v7.4 thru v8.4

From: "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>
To: pgsql-announce(at)postgresql(dot)org
Subject: PostgreSQL Security Update for v7.4 thru v8.4
Date: 2010-05-17 16:53:30
Message-ID: alpine.BSF.2.00.1005171352070.22297@hub.org (view raw or flat)
Thread:
Lists: pgsql-announce
2010-05-17 Security Update

The PostgreSQL Project today released minor versions updating all active 
branches of the PostgreSQL object-relational database system, including 
versions 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, and 7.4.29. This release 
fixes moderate-risk security issues with PL/perl and PL/tcl, as well as a 
data corruption issue with standby databases.  Users of any of these three 
features should update their PostgreSQL installations immediately.

The PL/perl security fix closes a security hole in PL/perl procedures 
which could allow privilege escalation on the host system, caused by a 
flaw in Safe.pm; see CVE-2010-1169 and CVE-2010-1447 for details.  A 
second patch prevents PL/tcl's pltcl_modules table from being subverted in 
order to run arbitrary Tcl scripts; see CVE-2010-1170.  These issues only 
affect users who have enabled either of these two stored procedure 
languages.

Also corrected is use of the command ALTER TABLE SET TABLESPACE, which 
previously could cause data corruption on Warm Standby database slaves. 
This issue affects only version 8.4.

The issues patched in this update release affect version 9.0 Beta 1 as 
well, and will be corrected in an upcoming 9.0 Beta 2 release.

There are also 21 other bug fixes in this release, some of which apply 
only to version 8.4, and a few of which are specifically for Windows. 
While these are generally fixes for minor issues, among the changes are:

      * Fix for a combinational crash condition
      * Prevent normal users from resetting some GUCs in
        their own role definitions
      * Correctly apply constraint exclusion in UPDATE and DELETE queries
      * Minor fixes for WAL archiving
      * Update timezone data for 12 zones

See the release notes for a full list of changes with details.

As with other minor releases, users are not required to dump and reload 
their database in order to apply this update release; you may simply shut 
down PostgreSQL and update its binaries. Users skipping more than one 
update may need to check the release notes for extra, post-update steps.

      * Release Notes
        http://www.postgresql.org/docs/current/static/release.html
      * Installation Packages
        http://www.postgresql.org/ftp/binary/
      * Source Code
        http://www.postgresql.org/ftp/source/
      * Windows and One-click Installer
        http://www.enterprisedb.com/products/pgdownload.do
      * Details of Security Issues
        http://www.postgresql.org/support/security

The PostgreSQL Global Development Group will stop releasing updates for 
PostgreSQL versions 7.4 and 8.0 after June of 2010. We urge users of those 
versions to start planning to upgrade now.



pgsql-announce by date

Next:From: Simon RiggsDate: 2010-05-17 17:43:45
Subject: 2ndQuadrant New Horizons
Previous:From: Tom LaneDate: 2010-05-17 16:35:44
Subject: PostgreSQL 2010-05-17 Security Update Releases

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group