In an emergency order issued unscheduled corrective updates for all supported versions PostgreSQL: 9.2.4, 9.1.9, 9.0.13 and 8.4.17, which eliminated the five vulnerabilities, one of which is recognized as critically dangerous. All users of PostgreSQL 9.x should implement immediately update database. Also for the general increase in security infrastructure developers PostgreSQL advised to make sure that outsiders subnets was denied access to the network port on PostgreSQL.
Critically dangerous vulnerability (SVE-2013-1899) is shown only in the versions 9.x and allows to initiate damage to the files in the directory with the data in PostgreSQL sending a specially malformed requests for connection to the server, which appears the name of the base, starting with the character “-” ( database name is treated as an option for single-user recovery, availability of such a database on the server is not required.) For their attacks enough access to the network port on PostgreSQL, the presence of a database account is not required. (more…)