Today PostgreSQL announced CVE-2013-1899 [1], a vulnerability that allows a remote attacker, with access to the PostgreSQL port, to cause malicious damage to a database. If you are running LabKey Server using a PostgreSQL database server, then your system is at risk and the PostgreSQL server should be upgraded as soon as possible.

The vulnerability affects PostgreSQL Server versions; 9.0.x, 9.1.x and 9.2.x. You can find further information in the 2013-04-04 Security Release FAQ [2].

The LabKey Server Graphical Windows Installer package includes PostgreSQL 9.2.1, which is vulnerable. However the PostgreSQL server is bound to localhost by default so it is only accessible from the server itself thereby mitigating the vulnerability to users with access to the system. We will include a patched version of PostgreSQL in the upcoming 13.1 release of the Graphical Windows Installer

If you have any questions, concerns or need any assistance in upgrading your PostgreSQL server, please do not hesitate to contact us.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899
[2] http://www.postgresql.org/support/security/faq/2013-04-04/