-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 12 May 2026 12:51:10 +0200
Source: postgresql-15
Binary: postgresql-doc-15
Architecture: all
Version: 15.18-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: all Build Daemon (x86-csail-02) <buildd_all-x86-csail-02@buildd.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Description:
 postgresql-doc-15 - documentation for the PostgreSQL database management system
Changes:
 postgresql-15 (15.18-0+deb12u1) bookworm-security; urgency=medium
 .
   * New upstream version 15.18.
 .
     + Prevent unbounded recursion while processing startup packets
       (Michael Paquier)
 .
       A malicious client could crash the connected backend by alternating
       rejected SSL and GSS encryption requests indefinitely.
 .
       The PostgreSQL Project thanks Calif.io (in collaboration with Claude and
       Anthropic Research) for reporting this problem. (CVE-2026-6479)
 .
     + Fix assorted integer overflows in memory-allocation calculations
       (Tom Lane, Nathan Bossart, Heikki Linnakangas)
 .
       Various places were incautious about the possibility of integer overflow
       in calculations of how much memory to allocate.  Overflow would lead to
       allocating a too-small buffer which the caller would then write past the
       end of.  This would at least trigger server crashes, and probably could
       be exploited for arbitrary code execution.  In many but by no means all
       cases, the hazard exists only in 32-bit builds.
 .
       The PostgreSQL Project thanks Xint Code, Bruce Dang, Sven Klemm, and
       Pavel Kohout for reporting these problems. (CVE-2026-6473)
 .
     + Reject over-length options in ts_headline() (Michael Paquier)
 .
       The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb
       in length, but this was not checked for.  An over-length value would
       typically crash the server.
 .
       The PostgreSQL Project thanks Xint Code for reporting this problem.
       (CVE-2026-6473)
 .
     + Guard against malicious time zone names in timeofday() and pg_strftime()
       (Tom Lane)
 .
       A crafted time zone setting could pass % sequences to snprintf(),
       potentially causing crashes or disclosure of server memory.  Another
       path to similar results was to overflow the limited-size output buffer
       used by pg_strftime().
 .
       The PostgreSQL Project thanks Xint Code for reporting this problem.
       (CVE-2026-6474)
 .
     + When creating a multirange type, ensure the user has CREATE privilege on
       the schema specified for the multirange type (Jelte Fennema-Nio)
 .
       The multirange type can be put into a different schema than its parent
       range type, but we neglected to apply the required privilege check when
       doing so.
 .
       The PostgreSQL Project thanks Jelte Fennema-Nio for reporting this
       problem. (CVE-2026-6472)
 .
     + Use timing-safe string comparisons in authentication code
       (Michael Paquier)
 .
       Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking
       passwords, hashes, etc.  It is not known whether the data dependency of
       those functions is usefully exploitable in any of these places, but in
       the interests of safety, replace them.
 .
       The PostgreSQL Project thanks Joe Conway for reporting this problem.
       (CVE-2026-6478)
 .
     + Mark PQfn() as unsafe, and avoid using it within libpq (Nathan Bossart)
 .
       For a non-integral result type, PQfn() is not passed the size of the
       output buffer, so it cannot check that the data returned by the server
       will fit.  A malicious server could therefore overwrite client memory.
       This is unfixable without an API change, so mark the function as
       deprecated.  Internally to libpq, use a variant version that can apply
       the missing check.
 .
       The PostgreSQL Project thanks Yu Kunpeng and Martin Heistermann for
       reporting this problem. (CVE-2026-6477)
 .
     + Prevent path traversal in pg_basebackup and pg_rewind (Michael Paquier)
 .
       These applications failed to validate output file paths read from their
       input, so that a malicious source could overwrite any file writable by
       these applications.  Constrain where data can be written by rejecting
       paths that are absolute or contain parent-directory references.
 .
       The PostgreSQL Project thanks XlabAI Team of Tencent Xuanwu Lab and
       Valery Gubanov for reporting this problem. (CVE-2026-6475)
 .
     + Guard against field overflow within contrib/intarray's query_int type
       and contrib/ltree's ltxtquery type (Tom Lane)
 .
       Parsing of these query structures did not check for overflow of 16-bit
       fields, so that construction of an invalid query tree was possible.
       This can crash the server when executing the query.
 .
       The PostgreSQL Project thanks Xint Code for reporting this problem.
       (CVE-2026-6473)
 .
     + Guard against overly long values of contrib/ltree's lquery type
       (Michael Paquier)
 .
       Values with more than 64K items caused internal overflows, potentially
       resulting in stack smashes or wrong answers.
 .
       The PostgreSQL Project thanks Vergissmeinnicht, A1ex, and Jihe Wang for
       reporting this problem. (CVE-2026-6473)
 .
     + Prevent SQL injection and buffer overruns in contrib/spi
       (Nathan Bossart)
 .
       check_foreign_key() was insufficiently careful about quoting key values,
       and also used fixed-length buffers for constructing queries.  While this
       module is only meant as example code, it still shouldn't contain such
       dangerous errors.
 .
       The PostgreSQL Project thanks Nikolay Samokhvalov for reporting this
       problem. (CVE-2026-6637)
Checksums-Sha1:
 918163c699a996461ce3f761d6e8fa6170758b82 10672 postgresql-15_15.18-0+deb12u1_all-buildd.buildinfo
 c7509465c969020f6ce89ae57ff0b70bb0d05b45 2096084 postgresql-doc-15_15.18-0+deb12u1_all.deb
Checksums-Sha256:
 ee6feb254ef233141c9dab1d18c0b4790a3560622cbbf07082e28d949ad19cf4 10672 postgresql-15_15.18-0+deb12u1_all-buildd.buildinfo
 3c598277a463c44d672daa2c335deb8d8252e1852fb025fd4578ea2d9a1b90f0 2096084 postgresql-doc-15_15.18-0+deb12u1_all.deb
Files:
 478fdbaeb25de6e13b23d22e6f5c5bba 10672 database optional postgresql-15_15.18-0+deb12u1_all-buildd.buildinfo
 48ab041485a17b2b55a2aa7c0a1ac595 2096084 doc optional postgresql-doc-15_15.18-0+deb12u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXLxUpUHQBQBTDtd4aBVi67oXtfkFAmoDPigACgkQaBVi67oX
tflhsQ/9F1Ef63Uv3ynQZh+gFPr3Vzzb8i/qK6hKZ+gQjIIBXDaWjj6QVMra0BFR
ugzNAaWJb4yqad/I1Tt14XrfMnB4SOrsAXBFDbW9oMe/0rF1SArbJXHf/EKZ1Gyy
NvU43ZjxMHTC4gApSRxGnytPp4z9T638Gk3sPuwTe1ne26gYH9YUoI0pg/fuayZ+
2clwSv2tPO7icOz1DqS3k4KR+4XLJ6qcO7RiQXgIXhhr32UteI7ZzMAPwvRHsnrL
RmgA/jk2wJ8NYsa/+HlsV41AgwkeLpGc/iJ1pMhRoy8Usumuh5CUxvliLOXrwpLu
NuGp2DKfCe6eCqsThytPFxnwIzdV1mxOej7PW3+hBALInoXrYXDjuYR0AGCxJMll
q32qsOUa0SCdMmNGhjZLKFbkRztMcjBMkFbTxamPOYyQZtV73qU8sF/XqRY6QVpN
Zo4eWgAg30t49slCrAFZh0UhUQmB7Zlo3e6T5TWiMH0WJkVdzbAoR8ShNYzZl2Bd
s9lMUE13OQ9zXkaO1QaByK027+2/r1JFVaTwxAg0/3xwcyguScacusPq519SEn2t
K6/n4XuZZVOfUe1AV4eQlTQZIXtSqP5F+bTQcKdgqn2tQe67UPUU2luqWjoQ7VaQ
H4+/JK3clmEnG0lfOLSymhcDIIfi9125iH94n2MZkeU900wBUUI=
=kfZ6
-----END PGP SIGNATURE-----