Number 01/2013
Issued on 09/04/2013
Valid until upgrade has been performed
Issued by LARA Team
A major security flaw has been found in all versions of PostgreSQL which allows anyone with access to the port of the PostgreSQL cluster to run arbitrary commands by attempting to connect to a database name beginning with ‘-‘. PostgreSQL thinks the database name is an argument and will run it without checking.
An example would be to attempt to connect to a database named ‘-r C:\Program Files\PostgreSQL\9.1\data\pg_hba.conf’ which would set the stderr output of the cluster to be appended to the pg_hba.conf file, corrupting the file. Complete destruction of database tables is also possible through this flaw.
To fix the flaw, update your PostgreSQL to the appropriate version from
http://www.enterprisedb.com/products-services-training/pgdownload.
A LARA Notice is issued and distributed among LARA Users to inform the LARA Community about observations, important changes and related limitations in regard to the operational use of the LARA Software. Please ensure that relevant personnel is informed about this LARA Notice. In case of any questions, please contact the LARA Team on lara@eurocontrol.int.