PostgreSQL is an open source relational database management system, which can be run on various operating systems. The developers have released another series of new versions, with 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25 and 7.4.29 as version numbers. This fixes several bugs and vulnerabilities. Since it concerns the use of PL/perl and PL/tcl as well as potential data integrity issues, everyone is advised to update. The announcement of these versions looks like this:
PostgreSQL Security Update
The PostgreSQL Project today released minor versions updating all active branches of the PostgreSQL object-relational database system, including versions 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, and 7.4.29. This release fixes moderate-risk security issues with PL/perl and PL/tcl, as well as a data corruption issue with standby databases. Users of any of these three features should update their PostgreSQL installations immediately.
The PL/perl security fix closes a security hole in PL/perl procedures which could allow privilege escalation on the host system, caused by a flaw in Safe.pm; see CVE-2010-1169 and CVE-2010-1447 for details. A second patch prevents PL/tcl’s pltcl_modules table from being subverted in order to run arbitrary Tcl scripts; see CVE-2010-1170. These issues only affect users who have enabled either of these two stored procedure languages.
Also corrected is use of the command ALTER TABLE SET TABLESPACE, which previously could cause data corruption on Warm Standby database slaves. This issue affects only version 8.4.
The issues patched in this update release affect version 9.0 Beta 1 as well, and will be corrected in an upcoming 9.0 Beta 2 release.
There are also 21 other bug fixes in this release, some of which apply only to version 8.4, and a few of which are specifically for Windows. While these are generally fixes for minor issues, among the changes are:
- Fix for a combinational crash condition
- Prevent normal users from resetting some GUCs in their own role definitions
- Correctly apply constraint exclusion in UPDATE and DELETE queries
- Minor fixes for WAL archiving
- Update timezone data for 12 zones
See the release notes for a full list of changes with details. As with other minor releases, users are not required to dump and reload their database in order to apply this update release; you may simply shut down PostgreSQL and update its binaries. Users skipping more than one update may need to check the release notes for extra, post-update steps.
|Version number||8.4.4 / 8.3.11 / 8.2.17|
|Operating systems||Windows 7, Linux, BSD, Windows XP, Solaris, UNIX, Windows Server 2003, Windows Vista, Windows Server 2008|
|License type||Conditions (GNU/BSD/etc.)|