Major updates were released by the PostgreSQL Global Development Group to its developers in order to address several vulnerabilities, including a high-risk one that could allow attackers to crash the server, modify configurations variable as superuser or execute arbitrary code if certain conditions are met.

The popular open-source database system, PostgreSQL, released the update on Thursday, April 4, 2013 (US Time). The PostgreSQL Global Development Group was quoted as saying that "This update fixes a high-exposure security vulnerability in versions 9.0 and later." they stated. The group urged all their users with the affected versions to apply the update immediately.

The group also identified the high-risk vulnerability, as CVE-2013-1899, it can be exploited by sending maliciously crafted connection requests to a completed PostgreSQL server that include command-line switches specifying a database name beginning with the "_" character. The successful exploits can result in persistent denial of service, privelege escalation or arbitrary code execution, but it depends on the server's configuration.

Attackers can append error messages to files located in the PostgreSQL data directory. The files corrupted in this way may cause the database server to crash, and to refuse to restart. The only way to fixed is by either editing the files and removing the garbage text, of restoring from backup.

The PostgreSQL developers advise server administrators to update their PostgreSQL installations to the newly released 9.0.13, 9.1.9 or 9.2.4 versions, and to block access to their database servers from untrusted networks. The 8.4 branch of PostgreSQL is not affected by CVE-2013-1899, but PostgreSQL 8.4.17 was also released to fix other issues.

For more information regarding the PostgreSQL updates just visit the official PostgreSQL website. You can also download the update for free.