The PostgreSQL Global Development Group released security updates for all currently supported versions, (9.1.x, 9.0.x, 8.4.x and 8.3.x) of the open source relational database system.
The updates include versions 9.1.4, 9.0.8, 8.4.12 and 8.3.19 of PostgreSQL which close two security holes and include 42 other bug fixes.
Users using the crypt function included in the pgcrypto module should update their installations immediately as the update fixes incorrect password transformations which can lead to shorter than desired passwords easier to attack. After updating, users will have to regenerate all passwords containing the byte value 0x80 to fix encrypted passwords truncated by the faulty code.
The other corrected security issue is a bug in a call handler that could lead to a server crash when applying SECURITY DEFINER and SET attributes. An attacker could exploit this to create a denial of service (DoS).
The updates for the 9.1.x, 9.0.x, 8.4.x and 8.3.x branches of PostgreSQL can download from the project’s site. Binary packages are available for Linux, FreeBSD, Solaris, Windows and Mac OS X. The source code of the project is available under the terms of the PostgreSQL License, a permissive open source license similar in character to the BSD or MIT licenses.