Various vulnerabilities have been reported in PostgreSQL. Some have an unknown impact and others can can be exploited by malicious users to gain escalated privileges or bypass certain security restrictions.
1) An error in the "LOAD" option can be exploited by malicious, unprivileged database
users to load arbitrary libraries.
Successful exploitation may allow execution of arbitrary code with escalated privileges,
but requires that the platform automatically executes initialization functions
of shared libraries (includes Windows and ELF-based Unix / Linux systems).
2) A missing permissions check makes it possible for a creator of an aggregate
function to execute the specified transition functions. This bypasses the denial
of "EXECUTE" permissions on a function.
3) An unspecified security issue exists in "contrib/intagg".
4) A boundary error may result in a buffer overflow when the plpgsql cursor declaration
has too many parameters.
NOTE: Other issues have also been reported, which may be security related.
SOFTWARE:
PostgreSQL 7.x
PostgreSQL 8.x
SOLUTION:
Update to version 8.0.1, 7.4.7, 7.3.9, or 7.2.7.
http://wwwmaster.postgresql.org/download/mirrors-ftp
PROVIDED AND/OR DISCOVERED BY:
1) John Heasman, NGSSoftware.
2-4) Reported by vendor.
ORIGINAL ADVISORY:
http://archives.postgresql.org/pgsql-announce/2005-02/msg00000.php
VERIFY ADVISORY:
http://secunia.com/advisories/12948/
Secunia Security Advisories
http://community.securityteam.us/article.php/20050210111335201