The PostgreSQL Global Development Group has released security updates for the 9.1.5, 9.0.9, 8.4.13 and 8.3.20 variants of its database systems.
The main issues addressed by these updates are the insecure use of libxslt
(CVE-2012-3488) and libxml2
(CVE-2012-3489). These vulnerabilities could be leveraged by any authenticated attacker to read, respectively write, arbitrary files.
Several other fixes
have been made to the 9.1 version of PostgreSQL.
The developer is notifying customers that in order to maintain security standards it has been forced to disable a couple of features: validation of externals DTDs using the built-in XML functionality, and the fetching of documents and style sheets from external URLs with the xslt_process()
PostgreSQL customers are advised to apply the updates to ensure that their databases are protected against potential cyberattacks.
The latest versions of PostgreSQL
are available for download here