Versions 9.2.4, 9.1.9, 9.0.13 and 8.4.17 of PostgreSQL were recently released to patch a single vulnerability, CVE-2013-1899, which could be leveraged to enable denial of service, privilege escalation, and/or arbitrary code execution. Two minor security fixes are also included in the release (h/t Threatpost).
According to the PostgreSQL Global Development Group (PGDG), there are no known exploits in the wild at this time.
“The vulnerability allows users to use a command-line switch for a PostgreSQL connection intended for single-user recovery mode while PostgreSQL is running in normal, multiuser mode,” the PGDG explained in a FAQ. “This can be used to harm the server.”
Some companies, including cloud platform provider Heroku, were given early access to the updates. “Because Heroku was especially vulnerable, the PostgreSQL Core Team worked with them — to secure their infrastructure and to use their deployment as a test-bed for the security patches,” PGDG stated. “This helped to verify that the security update did not break any application functionality.”
The vulnerability was first reported to the PGDG on March 12, 2013 by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center. According to the PGDG, this is the first security issue of this magnitude since 2006.