{"id":2096,"date":"2010-10-05T09:44:40","date_gmt":"2010-10-05T17:44:40","guid":{"rendered":"http:\/\/www.chesnok.com\/daily\/?p=2096"},"modified":"2012-03-26T02:51:55","modified_gmt":"2012-03-26T10:51:55","slug":"postgresql-9-0-1-released-includes-security-fix-maintenance-releases-for-6-other-versions","status":"publish","type":"post","link":"https:\/\/www.chesnok.com\/daily\/2010\/10\/05\/postgresql-9-0-1-released-includes-security-fix-maintenance-releases-for-6-other-versions\/","title":{"rendered":"PostgreSQL 9.0.1 released, includes security fix & maintenance releases for 6 other versions"},"content":{"rendered":"

The PostgreSQL Global Development group released new maintenance versions today<\/a>: 9.0.1, 8.4.5, 8.3.12, 8.2.18, 8.1.22, 8.0.26 and 7.4.30. This is the final update for PostgreSQL versions 7.4 and 8.0. There’s a security issue in there involving procedural languages, and a detailed description of the vulnerability<\/a> is on our wiki<\/a>. A key thing to remember is that the issue primarily affects people who use SECURITY DEFINER along with a procedural language function. PL\/PgSQL is not affected, but any other procedural language with a “trusted” mode is. This includes PL\/Perl, PL\/tcl, PL\/Python (7.4 or earlier) and others. The new versions fix issues in PL\/Perl and PL\/tcl. A patch for PL\/PHP is currently in the works.<\/p>\n

Most developers feel that the security issue is relatively obscure. If you aren’t using a procedural language with some mechanism for altering privileges (SET ROLE or SECURITY DEFINER, for example), you aren’t vulnerable to the security issue and can upgrade Postgres during your next regularly scheduled downtime. If you *are* vulnerable, we recommend investigating the use of the functions that may be vulnerable, and taking steps to prevent their exploitation by upgrading as soon as you can.<\/p>\n

From the FAQ<\/a>: <\/p>\n

\nWhat is the level of risk associated with this exploit?<\/p>\n

Low. It requires all of the following:<\/p>\n