-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 12 May 2026 12:51:10 +0200
Source: postgresql-15
Architecture: source
Version: 15.18-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 postgresql-15 (15.18-0+deb12u1) bookworm-security; urgency=medium
 .
   * New upstream version 15.18.
 .
     + Prevent unbounded recursion while processing startup packets
       (Michael Paquier)
 .
       A malicious client could crash the connected backend by alternating
       rejected SSL and GSS encryption requests indefinitely.
 .
       The PostgreSQL Project thanks Calif.io (in collaboration with Claude and
       Anthropic Research) for reporting this problem. (CVE-2026-6479)
 .
     + Fix assorted integer overflows in memory-allocation calculations
       (Tom Lane, Nathan Bossart, Heikki Linnakangas)
 .
       Various places were incautious about the possibility of integer overflow
       in calculations of how much memory to allocate.  Overflow would lead to
       allocating a too-small buffer which the caller would then write past the
       end of.  This would at least trigger server crashes, and probably could
       be exploited for arbitrary code execution.  In many but by no means all
       cases, the hazard exists only in 32-bit builds.
 .
       The PostgreSQL Project thanks Xint Code, Bruce Dang, Sven Klemm, and
       Pavel Kohout for reporting these problems. (CVE-2026-6473)
 .
     + Reject over-length options in ts_headline() (Michael Paquier)
 .
       The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb
       in length, but this was not checked for.  An over-length value would
       typically crash the server.
 .
       The PostgreSQL Project thanks Xint Code for reporting this problem.
       (CVE-2026-6473)
 .
     + Guard against malicious time zone names in timeofday() and pg_strftime()
       (Tom Lane)
 .
       A crafted time zone setting could pass % sequences to snprintf(),
       potentially causing crashes or disclosure of server memory.  Another
       path to similar results was to overflow the limited-size output buffer
       used by pg_strftime().
 .
       The PostgreSQL Project thanks Xint Code for reporting this problem.
       (CVE-2026-6474)
 .
     + When creating a multirange type, ensure the user has CREATE privilege on
       the schema specified for the multirange type (Jelte Fennema-Nio)
 .
       The multirange type can be put into a different schema than its parent
       range type, but we neglected to apply the required privilege check when
       doing so.
 .
       The PostgreSQL Project thanks Jelte Fennema-Nio for reporting this
       problem. (CVE-2026-6472)
 .
     + Use timing-safe string comparisons in authentication code
       (Michael Paquier)
 .
       Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking
       passwords, hashes, etc.  It is not known whether the data dependency of
       those functions is usefully exploitable in any of these places, but in
       the interests of safety, replace them.
 .
       The PostgreSQL Project thanks Joe Conway for reporting this problem.
       (CVE-2026-6478)
 .
     + Mark PQfn() as unsafe, and avoid using it within libpq (Nathan Bossart)
 .
       For a non-integral result type, PQfn() is not passed the size of the
       output buffer, so it cannot check that the data returned by the server
       will fit.  A malicious server could therefore overwrite client memory.
       This is unfixable without an API change, so mark the function as
       deprecated.  Internally to libpq, use a variant version that can apply
       the missing check.
 .
       The PostgreSQL Project thanks Yu Kunpeng and Martin Heistermann for
       reporting this problem. (CVE-2026-6477)
 .
     + Prevent path traversal in pg_basebackup and pg_rewind (Michael Paquier)
 .
       These applications failed to validate output file paths read from their
       input, so that a malicious source could overwrite any file writable by
       these applications.  Constrain where data can be written by rejecting
       paths that are absolute or contain parent-directory references.
 .
       The PostgreSQL Project thanks XlabAI Team of Tencent Xuanwu Lab and
       Valery Gubanov for reporting this problem. (CVE-2026-6475)
 .
     + Guard against field overflow within contrib/intarray's query_int type
       and contrib/ltree's ltxtquery type (Tom Lane)
 .
       Parsing of these query structures did not check for overflow of 16-bit
       fields, so that construction of an invalid query tree was possible.
       This can crash the server when executing the query.
 .
       The PostgreSQL Project thanks Xint Code for reporting this problem.
       (CVE-2026-6473)
 .
     + Guard against overly long values of contrib/ltree's lquery type
       (Michael Paquier)
 .
       Values with more than 64K items caused internal overflows, potentially
       resulting in stack smashes or wrong answers.
 .
       The PostgreSQL Project thanks Vergissmeinnicht, A1ex, and Jihe Wang for
       reporting this problem. (CVE-2026-6473)
 .
     + Prevent SQL injection and buffer overruns in contrib/spi
       (Nathan Bossart)
 .
       check_foreign_key() was insufficiently careful about quoting key values,
       and also used fixed-length buffers for constructing queries.  While this
       module is only meant as example code, it still shouldn't contain such
       dangerous errors.
 .
       The PostgreSQL Project thanks Nikolay Samokhvalov for reporting this
       problem. (CVE-2026-6637)
Checksums-Sha1:
 6cfd5dfe568ca46506d3f7380c803ee206d21003 3942 postgresql-15_15.18-0+deb12u1.dsc
 fab946980b8709a3caf476eb87a2980fcc0664e8 23405115 postgresql-15_15.18.orig.tar.bz2
 b04edc34af9c6d6e85c739a24e99902cd4cca1a0 31828 postgresql-15_15.18-0+deb12u1.debian.tar.xz
Checksums-Sha256:
 d940b57dd029ef0712212164410fcb51854c883f3fc0c3a11486acdfd2ca5947 3942 postgresql-15_15.18-0+deb12u1.dsc
 11df0df97fe3ea4ba9a791faaf39cee1d2fe571e78885b5b55d8517d27c323b4 23405115 postgresql-15_15.18.orig.tar.bz2
 efe6fc2007229a2cc7b087d75cb1213d49e275ec47c4b896d5e0880b4904f8b3 31828 postgresql-15_15.18-0+deb12u1.debian.tar.xz
Files:
 1e6c5390e0abae7c82b15d66a5ffa7ce 3942 database optional postgresql-15_15.18-0+deb12u1.dsc
 bcf6d9b634d0950e74cdf332dee32ef8 23405115 database optional postgresql-15_15.18.orig.tar.bz2
 86961f295626da49ad37bcc6189b7121 31828 database optional postgresql-15_15.18-0+deb12u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmoDOKUACgkQTFprqxLS
p67wYw/6A8FMX6tQBit2txfl2wSVw03BdP34Q+fHHPm4ktjmtGcoxSaxZFGxdM4t
jXUAGhspWNRIQT4GE41x83BRJTZEdRQTJz9Vj4YnkIyOmIZvn/89cxvPwXS62Qw9
nrAnTKSupWtFBj25UKBA9VmpC0AEE3a9VAil088XVV82wmKw0VKGmhoMhSxUoAzX
RY7v9bRLc1GrLho0fugwCPoSsUFttu08uaSAKcju670erqjfSQgffHe9KUvU5bH0
h8mlUif9ZE54ViRIt+L5slger5doIEVUO0w6bT1M7a35l5lxZYFVrqcuz53uhJ1G
O+scmmsZpZv9ZQtiof9+jJcFc/T219Q0EZl6PMQxq/j/2ari+fxUKSu7g5bQOt//
djENeq0CmAhc3qZqmc1SDsVFniNe+8KWhrFzSbK2sMR+J8DhLmyzAi8VHhAgYqhB
sW8KqChCvSZcLOq8K0hwK167dDZVkTYtcEqCgK4+9avma6/bvPzjj4UNBigcmPyC
D4m5SapeflzaGxw3zV8HPgxRI7NTqS9/VwIwgQ8n52oKPlvevtBPsiGgJ3gPNyVM
0DfahXPtdMnTblqpPYh/t+hBnDT1qIAKNlX+O6y8vcNSyJ+RNydptWLug6L/b6rU
KbX7pCpgo6XXxXNxcpu5AT+sqf1mBnn6SFcS9V7GmlXUAPtndfE=
=IAnH
-----END PGP SIGNATURE-----