PostgreSQL Update Targets 'High-Exposure Security Vulnerability'

PostgreSQL's developers are strongly urging users of version 9.x to upgrade their software "immediately."

The PostgreSQL Global Development Group today released updates addressing a "high-exposure security vulnerability in versions 9.0 and later." The updates are available for 9.0, 9.1, and 9.2 branches, as well as 8.4.

According to developers: "A major security issue fixed in this release, CVE-2013-1899, makes it possible for a connection request containing a database name that begins with "-" to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request. This issue was discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center."

In addition to fixes for one major security issue, the updates also include four more minor security fixes, as well as fixes for other, non-security-related issues. Some of these fixes include:

  • A security vulnerability that made contrib/pgcrypto-generated strings too easy to guess;
  • A vulnerability that would allow unprivileged users to interfere with backups;
  • Security issues involving the OS X and Linux installers;
  • Vaious issues with GiST indices;
  • An issue related to crash recovery; and
  • Memory and buffer leaks, among others.

The updates also allow PostgreSQL to be built using Microsoft Visual Studio 2012.

PostgreSQL 9.2.4, 9.1.9, 9.0.13, and 8.4.17 are available now at postgresql.org/download. A complete list of fixes and enhancements in each version can be found on the PostgreSQL release notes archive page.

About the Author

David Nagel is the former editorial director of 1105 Media's Education Group and editor-in-chief of THE Journal, STEAM Universe, and Spaces4Learning. A 30-year publishing veteran, Nagel has led or contributed to dozens of technology, art, marketing, media, and business publications.

He can be reached at [email protected]. You can also connect with him on LinkedIn at https://www.linkedin.com/in/davidrnagel/ .


Featured

  • illustration of people collaborating around large interlocking gears and data charts

    Why ERP and AI Initiatives Stall at the Execution Layer: A CIO Perspective

    Higher education institutions are investing heavily in ERP modernization, analytics, and AI-driven capabilities. Yet even with these investments, many are running into the same issue: turning insight into coordinated, timely action.

  • Neon blue security locks with a single red highlight

    AI Shifts Cybersecurity Focus from Finding Flaws to Fixing Them

    For decades, one of cybersecurity's most difficult challenges has been finding vulnerabilities before attackers do. A growing number of security professionals now say artificial intelligence is changing that equation, shifting the focus from discovering flaws to fixing them quickly enough to prevent exploitation.

  • Educational path and career development growth with neon icons for study, idea, graduation, and success

    How to Embrace Lifelong Learning as a Non-negotiable for Career Growth

    In a world shaped by rapid technological change and shifting economic forces, staying curious and committed to learning is the most powerful way to stay prepared.

  • circuit patterns

    Anthropic Launches Lower-Cost Claude Sonnet 5

    Anthropic has released Claude Sonnet 5, positioning the model as its most autonomous mid-tier offering to date and a lower-cost alternative to its flagship Opus 4.8 system. The company said the model can plan multi-step tasks, operate tools such as browsers and terminals, and complete agentic work at a level that previously required larger and more expensive models.