User: Password:
|
|
Subscribe / Log in / New account

[ANNOUNCE] PostgreSQL security update available now

From:  Josh Berkus <josh-AT-postgresql.org>
To:  pgsql-announce-AT-postgresql.org
Subject:  [ANNOUNCE] PostgreSQL security update available now
Date:  Mon, 5 Feb 2007 09:32:44 -0800

The PostgreSQL Global Development Group releases today a security update for 
all recent PostgreSQL versions: minor versions 8.2.2, 8.1.7, 8.0.11, 7.4.16 
and 7.3.18.  Because this patches a medium-risk security hole, all users are 
urged to upgrade at the earliest opportunity.

This release fixes CVE-2007-0555 and CVE-2007-0556.  Both of these issues 
allow an authenticated attacker with the permissions to run arbitrary SQL to 
launch a denial-of-service attack or possibly read out random chunks of 
memory.  Since attacks to require authenticated access, the security hole is 
only considered medium risk.  You can read more about the issues on Mitre: 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0556

In keeping with the PostgreSQL Project's security fix policies, this update is 
being released as quickly as possible: within 2 weeks of the first bug 
report, and within five days of developing a fix.  This type of fast response 
is central to PostgreSQL's reputation as one of the most secure databases in 
the industry.

The new minor versions may be downloaded from our download page: 
http://www.postgresql.org/download/.  Users will not need to dump & reload 
for the upgrade.  However, see the release notes for your target version: 
http://www.postgresql.org/docs/8.2/static/release.html


-- 
PostgreSQL Core Team

---------------------------(end of broadcast)---------------------------
-To unsubscribe from this list, send an email to:

               pgsql-announce-unsubscribe@postgresql.org

---------------------------(end of broadcast)---------------------------
-To unsubscribe from this list, send an email to:

               pgsql-announce-unsubscribe@postgresql.org


(Log in to post comments)


Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds