PostgreSQL Update Targets 'High-Exposure Security Vulnerability'

PostgreSQL's developers are strongly urging users of version 9.x to upgrade their software "immediately."

The PostgreSQL Global Development Group today released updates addressing a "high-exposure security vulnerability in versions 9.0 and later." The updates are available for 9.0, 9.1, and 9.2 branches, as well as 8.4.

According to developers: "A major security issue fixed in this release, CVE-2013-1899, makes it possible for a connection request containing a database name that begins with "-" to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request. This issue was discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center."

In addition to fixes for one major security issue, the updates also include four more minor security fixes, as well as fixes for other, non-security-related issues. Some of these fixes include:

  • A security vulnerability that made contrib/pgcrypto-generated strings too easy to guess;
  • A vulnerability that would allow unprivileged users to interfere with backups;
  • Security issues involving the OS X and Linux installers;
  • Vaious issues with GiST indices;
  • An issue related to crash recovery; and
  • Memory and buffer leaks, among others.

The updates also allow PostgreSQL to be built using Microsoft Visual Studio 2012.

PostgreSQL 9.2.4, 9.1.9, 9.0.13, and 8.4.17 are available now at postgresql.org/download. A complete list of fixes and enhancements in each version can be found on the PostgreSQL release notes archive page.

About the Author

David Nagel is the former editorial director of 1105 Media's Education Group and editor-in-chief of THE Journal, STEAM Universe, and Spaces4Learning. A 30-year publishing veteran, Nagel has led or contributed to dozens of technology, art, marketing, media, and business publications.

He can be reached at [email protected]. You can also connect with him on LinkedIn at https://www.linkedin.com/in/davidrnagel/ .


Featured

  • Robot typing on fluorescent keyboard

    The Wrong Battle: Why Your Institution's AI Policy Is Probably Solving the Wrong Problem

    The conversation on most campuses has become consumed with detection: How do we catch students using AI when they shouldn't? The impulse to protect academic integrity is legitimate, but the detection-first approach has a fatal flaw.

  • abstract smartphone translucent screen displaying AI interface

    Apple Introduces Redesigned Siri AI

    At its recent Worldwide Developers Conference, Apple introduced Siri AI, a redesigned version of its voice assistant that Apple describes in its own announcement as "a profoundly more capable and personal assistant." The update is intended to make Siri more conversational, more context-aware, and more useful across iPhone, iPad, Mac, Apple Watch, and Vision Pro.

  • abstract glowing circuit patterns

    Microsoft Reduces Copilot Integrations in Windows 11

    Microsoft is dialing back its aggressive Copilot push in Windows 11, promising a sweeping quality overhaul that puts performance and reliability ahead of AI feature expansion .

  • abstract data flow

    Google Intros New Gemini Enterprise Agent Platform

    Google Cloud has announced a new platform for building and managing enterprise AI agents, as the company seeks to turn its Gemini models and Vertex AI tooling into a broader system for automating business workflows.