The PostgreSQL Global Development Group today released security updates for all active branches of the PostgreSQL object-relational database system, including versions 9.0.1, 8.4.5, 8.3.12, 8.2.18, 8.1.22, 8.0.26 and 7.4.30. This is the final update for PostgreSQL versions 7.4 and 8.0.
This update contains a security patch that prevents unauthorized privilege escalation by modifying "trusted" procedural language functions, as well as multiple fixes for minor uptime, data integrity and error handling issues.
Users of PL/perl and PL/tcl procedural languages and SECURITY DEFINER should update their installations immediately. All other database administrators are urged to update your version of PostgreSQL at the next scheduled downtime.
Minor releases 7.4.30 and 8.0.26 are the final releases for PostgreSQL 7.4 and 8.0 as both versions are no longer supported. The PostgreSQL community will also stop releasing updates for version 8.1 later this year. Users are encouraged to upgrade to a newer version as soon as possible. See our release support policy:
http://wiki.postgresql.org/wiki/PostgreSQL_Release_Support_Policy
The security vulnerability allows any ordinary SQL users with "trusted" procedural language usage rights to modify the contents of procedural language functions at runtime. As detailed in CVE-2010-3433, an authenticated user can accomplish privilege escalation by hijacking a SECURITY DEFINER function (or some other existing authentication-change operation). The mere presence of the procedural languages does not make your database application vulnerable.
PL/Perl and PL/tcl are patched in this release; a patch for PL/PHP is pending. All 3rd party procedural languages with a trusted version are also vulnerable to the issue. Advisory CVE-2010-3433: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3433
This release includes numerous internal documentation updates and 130 bugfixes, including:
See the release notes for a full list of changes with details.
As with other minor releases, users are not required to dump and reload their database in order to apply this update release; you may simply shut down PostgreSQL and update its binaries. Users skipping more than one update may need to check the release notes for extra, post-update steps.
Download new versions now:
If you'd like a more detailed explanation of the vulnerability, an FAQ is available.
This post has been migrated from a previous version of the PostgreSQL website. We apologise for any formatting issues caused by the migration.