Tim Bunce

**Name of the Vulnerable Software and Affected Versions** Safe module versions prior to 2.25 **Description** The issue allows context-dependent attackers to bypass intended access restrictions, specifically those imposed by Safe::reval and Safe::rdo, and inject and execute arbitrary code. This can be achieved through vectors involving implicitly called methods, such as DESTROY and AUTOLOAD, and implicitly blessed objects, which are related to "automagic methods." **Recommendations** For versions prior to 2.25, update to version 2.25 or later to resolve the issue. As a temporary workaround, consider restricting the use of implicitly called methods, such as DESTROY and AUTOLOAD, until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions 7.4 through 7.4.28 PostgreSQL versions 8.0 through 8.0.24 PostgreSQL versions 8.1 through 8.1.20 PostgreSQL versions 8.2 through 8.2.16 PostgreSQL versions 8.3 through 8.3.10 PostgreSQL versions 8.4 through 8.4.3 PostgreSQL version 9.0 Beta before 9.0 Beta 2 **Description** The issue is related to the improper restriction of PL/perl procedures, allowing remote authenticated users with database-creation privileges to execute arbitrary Perl code via a crafted script. This is related to the Safe module (aka Safe.pm) for Perl. An authenticated user can run arbitrary Perl code on the database server if PL/Perl is installed and enabled. **Recommendations** For PostgreSQL versions 7.4 through 7.4.28, update to version 7.4.29 or later. For PostgreSQL versions 8.0 through 8.0.24, update to version 8.0.25 or later. For PostgreSQL versions 8.1 through 8.1.20, update to version 8.1.21 or later. For PostgreSQL versions 8.2 through 8.2.16, update to version 8.2.17 or later. For PostgreSQL versions 8.3 through 8.3.10, update to version 8.3.11 or later. For PostgreSQL versions 8.4 through 8.4.3, update to version 8.4.4 or later. For PostgreSQL version 9.0 Beta before 9.0 Beta 2, update to version 9.0 Beta 2 or later.