PostgreSQL 2007-01-07 Cumulative Security Release
Today the PostgreSQL Global Development Group is releasing updated
versions which patch five security vulnerabilities. These releases
update all current PostgreSQL versions, including 8.2, 8.1, 8.0, 7.4 and
7.3. They are considered CRITICAL and PostgreSQL DBAs and sysadmins
should install the update as soon as they reasonably can. Our security
team has made all efforts to make these patches backwards-compatible,
and upgrading does not require converting your data files.
Please read the remainder of this message for further important details
and announcements.
Details of Security Fixes
----------------------------
There are five security fixes included in this release. None of these
issues are known to have been exploited in the field; they were
discovered through security analysis.
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as "expression indexes". This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions. Both of these holes have now been closed.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
libraries used by PostgreSQL allowed malicious users to initiate a
denial-of-service by passing certain regular expressions in SQL queries.
First, users could create infinite loops using some specific regular
expressions. Second, certain complex regular expressions could consume
excessive amounts of memory. Third, out-of-range backref numbers could
be used to crash the backend. All of these issues have been patched.
DBLink Privilege Escalation (CVE-2007-6601): DBLink functions combined
with local trust or ident authentication could be used by a malicious
user to gain superuser privileges. This issue has been fixed, and does
not affect users who have not installed DBLink (an optional module), or
who are using password authentication for local access. This same
problem was addressed in the previous release cycle (see CVE-2007-3278),
but that patch failed to close all forms of the loophole.
EOL Notices
---------------------
Minor release 7.3.21 for PostgreSQL version 7.3 will be the last update
to the 7.3 branch. As version 7.3 is now over five years old, the
community will no longer release patches for it after today's release.
Users of version 7.3 are encouraged to upgrade to a more current version
as soon as possible, or to seek support from a commercial support vendor
who is willing to continue backpatching for them.
8.1.11 and 8.0.15 are also the last 8.1 and 8.0 update releases for
which the PostgreSQL community will produce binary packages for Windows.
Windows users are encouraged to move to 8.2.6 or later, since there are
Windows-specific fixes in 8.2 that are impractical to back-port. 8.1
and 8.0 updates will continue to be supported on other platforms and in
source form.
Download and Install
------------------------
PostgreSQL minor releases 8.2.6, 8.1.11, 8.0.15, 7.4.19 and 7.3.21 are
available through our FTP mirror network:
-- Source Code: http://www.postgresql.org/ftp/source/
-- Binaries for some platforms: http://www.postgresql.org/ftp/binary/
If you need additional information on the included updates, it's
available in our Release Notes
(http://www.postgresql.org/docs/current/static/release.html). These
upgrades can be copied directly over existing PostgreSQL binaries and do
not require dump-and-reload for any system which has been updated in the
last six months (older versions may require some specific post-update
steps; see the release notes).
As always, PostgreSQL update releases are cumulative. All security
fixes will be included in the upcoming version 8.3 release candidate.
This notice will be posted to the PostgreSQL security page:
http://www.postgresql.org/support/security
-- PostgreSQL Global Development Group