14 DAY TRIAL // The PostgreSQL Global Development Group has released PostgreSQL 9.2.4, 9.1.9, 9.0.13 and 8.4.17 to address a total of 5 security vulnerabilities. In addition, the latest updates contain fixes for several minor issues discovered over the past couple of months.
The most important security hole, CVE-2013-1899, can be exploited by an attacker to damage or destroy files within a server’s data directory by using a connection request that contains a database name which begins with “-”.
A less critical flaw addressed with the latest updates could be leveraged to guess random numbers generated by contrib/pgcrypto functions.
The third bug allowed an unprivileged user to run commands that could interfere with in-progress backups.
The last two issues affected the graphical installers for Linux and Mac OS X.
Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center, Marko Kreen, Noah Misch and Stefan Kaltenbrunner have been credited with finding the vulnerabilities.
Users are advised to update their installations as soon as possible.
PostgreSQL is available for download here