14 DAY TRIAL // The PostgreSQL Global Development Group released security updates for all the active versions of their open source object-relational database system. Among the updated variants, 9.1.3, 9.0.7, 8.4.11 and 8.3.18 are the ones worth mentioning.
The security updates address 45 issues that affected the 9.1 variant, including a btree index corruption, a transient zeroing of shared buffers during WAL replay, a corner case in SSI transaction cleanup, an unsupported node type error, and a recently introduced memory leak in the processing of inet/cidr.
Other fixes were made in response to issues such as the fact that the permissions on a function called by a trigger were not checked, SSL certificate name checks were truncated to 32 characters allowing for connection spoofing in certain circumstances, and line breaks could be exploited to execute arbitrary code when a pg_dump file was loaded.
“pg_dump copied object names into comments in a SQL script without sanitizing them. An object name that includes a newline followed by an SQL command would result in a dump script in which the SQL command is exposed for execution.
“When and if the dump script is reloaded, the command would be executed with the privileges of whoever is running the script - often a superuser,” reads the advisory.
The fact that SSL certificate names are truncated to 32 characters is not an easy flaw to exploit, but according to the release notes, in theory it could happen.
The company advises all customers of pg_dump, SSL certificates for validation, and Security Definer triggers to upgrade their software immediately to avoid any unfortunate incidents.
In order to apply the update release, users are not required to dump and reload their databases or utilize the pg_upgrade, instead they need to shut down the application and update its binaries.
PostgreSQL 9.1.3 / 9.0.7 / 8.4.11 is available for download here.