PostgreSQL issues 'critical' security fix

Developers urge users of open-source database to update their installations immediately to protect themselves.

The developers of the open-source PostgreSQL database have issued a "critical" update, urging users of the software to modify their installations immediately to protect themselves from possible exploits.

The fix--which can be downloaded from PostgreSQL's Web site--applies to the most recent version 8.1 of PostgreSQL, which was released just last November, in addition to older versions 8, 7.4 and 7.3.

"The fixes in the 8.1 and 8.0 branches are critical, especially for Windows users, and users of these branches are urged to update at their earliest opportunity," PostgreSQL project member Marc Fournier wrote in an e-mail. A message was also posted online.

Fournier said one fix repaired a denial-of-service vulnerability that could affect PostgreSQL running on Windows systems if too many connection attempts were simultaneously made to the database.

"Another critical fix repairs an error in ReadBuffer that can cause data loss due to overwriting recently added pages," he wrote. "This applies to the 8.1 and 8.0 branches on all platforms."

The project member added that further details of the problems will appear in the documentation for the updated versions of the software. It will take a few days for these details to be available online, he said.

PostgreSQL is an open-source project constructed by about 200 software developers and is licensed under the BSD license, which allows it to be used in free or commercial software products at no charge.

It is one of the most popular open-source databases. The previous version, 8.0, saw an estimated 1 million downloads within seven months of release, according to the project's Web site. The database also comes free with a number of Linux distributions.

Back in November of last year, Sun Microsystems announced plans to distribute and support PostgreSQL.

Renai LeMay of ZDNet Australia reported from Sydney.