LARA NOTICE
|
Number 01/2013
Issued on 09-04-2013
Valid until: upgrade has been performed
Issued by LARA Team
A major security flaw has been found in all versions of PostgreSQL which allows anyone with access to the port of the PostgreSQL cluster to run arbitrary commands by attempting to connect to a database name beginning with ‘-‘. PostgreSQL thinks the database name is an argument and will run it without checking.
An example would be to attempt to connect to a database named ‘-r C:\Program Files\PostgreSQL\9.1\data\pg_hba.conf’ which would set the stderr output of the cluster to be appended to the pg_hba.conf file, corrupting the file. Complete destruction of database tables is also possible through this flaw.
To fix the flaw, update your PostgreSQL to the appropriate version from
http://www.enterprisedb.com/products-services-training/pgdownload.
In case of any questions please contact the LARA Team
Download the PDF file