Security, Bugs and Perl Fix – PostgreSQL

PostgreSQL released an update for all supported branches today, which includes a minor/major security fix and a minor/major enhancement, and you can and should get them now.

The arches are busy (bugs.gentoo.org) testing the packages, and will stabilize them as quick as they can. But, if you’re using the Blowfish cipher from pg_crypto, you probably won’t want to wait that long.

A bug was found (www.openwall.com) that encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be.

If you are running a PostgreSQL server using the Blowfish cipher from pg_crypto, update now. If you’re not using pg_crypto in any of your databases, you’re safe and can wait for the latest versions to be stabilized, though I’d still recommend to make the move. If you don’t even have a PostgreSQL server on your machine, you’re doubly safe.

So, the security fix is minor if you don’t use the cipher, but major if you do.

On to Perl, 5.14 support was finally patched in. If you’ve been waiting for PostgreSQL to get this support going, this is a major enhancment, otherwise it’ll be a dull and dreary minor enhancement. Again, this only affects server owners.

There have been many other fixes, too. Check the news announcement (www.postgresql.org) for more information.

Leave a Reply