PostgreSQL users have been put in a potentially sticky situation by a serious security flaw made public this week.The flaw allows for SQL injection attacks, and affects all versions of PostgreSQL, aside from fixed versions released this week. However, the fix, PostgreSQL developers admit, will break many users' applications.
"Six PostgreSQL programmers worked for four weeks to come up with a method to fix the vulnerability without affecting production applications," said core developer Josh Berkus in documentation published to explain the complex bug. "This was the best we could do - it leaves most users' applications untouched."
Those using Far Eastern multi-byte encodings such as SJIS, BIG5, GBK, GB18030 and UHC, are out of luck, however, and will need to rework their applications for them to work after applying the patch. Specifically, they will need to remove any nonstandard string escaping mechanisms, such as the popular "backslash-escape", or at least modify them to use SQL-standard escaping, according to Berkus.He admitted the modifications would be "painful" for many users.
Source: 1
Update: Josh Berkus left a comment to this post suggesting that people read the FAQ about the security fix set up here so that they know exactly what changes they need to make and whether they are in danger.
Prashanth Rai
Addthis
Ask
Blinklist
del.icio.us
Digg
Fark
Facebook
Google
Lycos
Ma.gnolia
Mr Wong
Netscape
Netvousz
Newsvine
Reddit
StumbleUpon
Slashdot
Tailrank
Technorati
Wink
Yahoo
Vote for PostgreSQL serious security flaw:
|
Rating: 2.00 out of 2 vote(s) cast.
|
-
Online MBA Degrees - earn your mba degree online with one of hundreds of programs available at elearners.com
| RSS |  See all blog subscribe options |
 What is RSS? | |
| Yahoo! |
|
| Addthis |
|
| Bloglines |
|
| Newsletter | |
| Follow us on Twitter! |
so that they know exactly what changes they need to make and whether they are in danger. Thanks.