Security update for PostgreSQL


Two bugs in the free relational database PostgreSQL allowed users to read and write arbitrary files. They have been closed with today released updates for versions 9.1.5, 9.0.9, 8.4.13 and 8.3.20. Affected are provided by libxml2 and libxslt XML and XSLT functions.

Details about the CVE-2012-3488 (libxslt) and CVE-2012-3489 (libxml2) registered errors are rare. Apparently, it's not about the libraries themselves, but their connection with PostgreSQL. Some hints can be found in the release notes for version 9.1.5. So it allowed the XML gap apparently to determine the existence of files and in some cases parts of them show.

The developers refer in this respect to an already closed in October 2011 vulnerability in the browser engine Webkit and an early 2012 fixed bugs in PHP 5 In both cases, libxslt tied in an unsafe manner, so that users could create by manipulating XSLT stylesheet files.

The current debugging PostgreSQL switches off both the built-in function for checking external DTDs (Document Type Description) and the function xslt_process (). With her ​​were documents or style sheets are loaded from external URLs.

In the update to the current version 9.1, the developers have simultaneously incorporate other changes and fixes. These shall include time zones, the documentation and the Python and Perl scripting.

The PostgreSQL developers recommend all users to install the update as soon as possible. A complete unloading the database by pg_dump should generally not be necessary.

No comments:

Post a Comment