24th September 2020: PostgreSQL 13 Released!

Security update 2011-02-01 released

Posted on 2011-01-31

The PostgreSQL Global Development Group today released security updates for all active branches of the PostgreSQL object-relational database system, including versions 9.0.3, 8.4.7, 8.3.14 and 8.2.20.

This update includes a security fix which prevents a buffer overrun in the contrib module intarray's input function for the query_int type. This bug is a security risk since the function's return address could be overwritten by malicious code.

All supported versions of PostgreSQL are impacted. However, the affected contrib module is optional. Only users who have installed the intarray module in their database are affected. See the CVE Advisory.

This release includes 63 bugfixes, including:

  • Avoid unexpected conversion overflow in planner for distant date values;
  • Fix assignment to an array slice that is before the existing range of subscripts;
  • Fix pg_restore to do the right thing when escaping large objects;
  • Avoid failures when EXPLAIN tries to display a simple-form CASE expression;
  • Improved build support for Windows version;
  • Fix bug in contrib/seg's GiST picksplit algorithm which caused performance degredation.

The 9.0.3 update also contains several fixes for issues with features introduced or changed in version 9.0:

  • Ensure all the received WAL is fsync'd to disk before exiting walreceiver;
  • Improve performance of walreceiver by avoiding excess fsync activity;
  • Make ALTER TABLE revalidate uniqueness and exclusion constraints when needed;
  • Fix EvalPlanQual for UPDATE of an inheritance tree when the tables are not all alike.

Overall, these releases include 33 patches to 9.0, 20 patches to 8.4, 20 patches to 8.3, and 18 patches to 8.2.

See the release notes for each version for a full list of changes with details.

As with other minor releases, users are not required to dump and reload their database in order to apply this update release; you may simply shut down PostgreSQL and update its binaries. Users skipping more than one update may need to check the release notes for extra,

post-update steps.

Download new versions now:

This post has been migrated from a previous version of the PostgreSQL website. We apologise for any formatting issues caused by the migration.