PostgreSQL 是一个自由的对象-关系数据库服务器(数据库管理系统)，它在灵活的 BSD-风格许可证下发行。它提供了相对其他开放源代码数据库系统(比如 MySQL 和 Firebird)，和对专有系统比如 Oracle、Sybase、IBM 的 DB2 和 Microsoft SQL Server的一种选择。

PostgreSQL 全球开发组今天发布了全系的安全更新版本，包括：9.1.4, 9.0.8, 8.4.12 and 8.3.19.

如果你使用了 pg_crypto 模块中的 crypt(text,text) 函数用于 DES 加密的话，那你应该立即更新到最新版本。

其中 9.1 版本修复的 bug 包括：

• Fix citext upgrade script for collations of citext arrays and domains over citext
• Fixes for timezone handling
• Fix text or char to name casts to perform string truncation correctly in multibyte encodings
• Fix memory copying bug in to_tsquery()
• Ensure txid_current() reports the correct epoch when executed in hot standby
• Fix planner’s handling of sub-SELECTS referencing variables coming from the nullable side of an outer join of the surrounding query
• Fix planning of UNION ALL subqueries with output columns that are not simple variables
• Fix slow session startup when pg_attribute is very large
• Ensure sequential scans check for query cancel reasonably often
• Show whole-row variables safely when printing views or rules
• Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding
• Fix EXPLAIN VERBOSE for writable CTEs containing RETURNING clauses
• Fix PREPARE TRANSACTION to work correctly in the presence of advisory locks
• Fix bugs with temporary or transient tables used in extension scripts
• Ensure autovacuum worker processes perform stack depth checking properly
• Fix logging collector to not lose log coherency under high load
• Fix logging collector to ensure it will restart file rotation after receiving SIGHUP
• Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped
• Avoid synchronous replication delay when committing a transaction that only modified temporary tables

包含两个安全补丁：

• CVE-2012-2143: Fix incorrect password transformation in contrib/pgcrypto’s DES crypt() function
• CVE-2012-2655: Ignore SECURITY DEFINER and SET attributes for a procedural language’s call handler

这个漏洞会直接导致服务器挂机，而且影响到所有的 PostgreSQL 版本。

关于此漏洞的更详细描述请看发行说明。

下载地址：download page.