Last week, I told you all about an incoming security patch for Postgres. Well, today, it’s here. Please check out this page and upgrade your Postgres. As the Postgres team says, ‘This is the first security issue of this magnitude since 2006.’

What’s the issue?

As always, you can find the latest information about security patches via the CVE system. Here’s the one for this vulnerability, CVE-2013-1899.

There are three things that can happen with this vulnerability:

  • Denial of Service. Error messages can be appended to files in Postgres’ data directory. This can fill up disks, or cause Postgres to crash.
  • Configuration Setting Privilege Escalation. If they have a legitimate login, and the username and database name are identical, then that user can set a config variable as the superuser.
  • Arbitrary Code Execution. The ‘boss level’ of vulnerabilities. If they can do both of the above things, and can save files outside of the data directory, then they can execute arbitrary C code.

Damn.

What versions are affected?

Versions 9.0, 9.1 and 9.2.

Where can I find more?

The Postgres team has a FAQ for this release, and here are the release announcements.

You can also see the commit that fixed the issue, with all the gory details.

Or, discuss on Hacker News.


Have comments? Send a tweet to @TheChangelog on Twitter.

Subscribe to The Changelog Weekly – our weekly email covering everything that hits our open source radar.