Package "postgresql-pltcl-16"

  postgresql-16 (16.13-0ubuntu0.24.04.1) noble-security; urgency=medium

  * New upstream version (LP: #2127668).

    + This release encompasses changes from upstream's 16.12 and 16.13
      releases. The former contains fixes for 4 CVEs (among other things), and
      the latter was a hotfix for regressions introcuced in 16.12.

    + A dump/restore is not required for those running 16.X.

    + However, if you are upgrading from a version earlier than 16.10, see
      those release notes as well please.

    + Guard against unexpected dimensions of oidvector/int2vector (Tom Lane)

      These data types are expected to be 1-dimensional arrays containing no
      nulls, but there are cast pathways that permit violating those
      expectations. Add checks to some functions that were depending on those
      expectations without verifying them, and could misbehave in consequence.
      (CVE-2026-2003)

    + Harden selectivity estimators against being attached to operators that
      accept unexpected data types (Tom Lane)

      contrib/intarray contained a selectivity estimation function that could
      be abused for arbitrary code execution, because it did not check that
      its input was of the expected data type. Third-party extensions should
      check for similar hazards and add defenses using the technique intarray
      now uses. Since such extension fixes will take time, we now require
      superuser privilege to attach a non-built-in selectivity estimator to an
      operator. (CVE-2026-2004)

    + Fix buffer overrun in contrib/pgcrypto's PGP decryption functions
      (Michael Paquier)

      Decrypting a crafted message with an overlength session key caused a
      buffer overrun, with consequences as bad as arbitrary code execution.
      (CVE-2026-2005)

    + Fix inadequate validation of multibyte character lengths (Thomas Munro,
      Noah Misch)

      Assorted bugs allowed an attacker able to issue crafted SQL to overrun
      string buffers, with consequences as bad as arbitrary code execution.
      After these fixes, applications may observe “invalid byte sequence for
      encoding” errors when string functions process invalid text that has
      been stored in the database. (CVE-2026-2006)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/16/release-16-12.html and
      https://www.postgresql.org/docs/16/release-16-13.html.

  * d/postgresql-16.NEWS: Update.

 -- Athos Ribeiro <email address hidden> Wed, 25 Feb 2026 11:12:24 -0300

  postgresql-16 (16.11-0ubuntu0.24.04.1) noble-security; urgency=medium

  * New upstream version (LP: #2127667).

    + A dump/restore is not required for those running 16.X.

    + However, if you are upgrading from a version earlier than 16.10, see
      those release notes as well please.

    + Check for CREATE privileges on the schema in CREATE STATISTICS (Jelte
      Fennema-Nio)

      This omission allowed table owners to create statistics in any schema,
      potentially leading to unexpected naming conflicts. (CVE-2025-12817)

    + Avoid integer overflow in allocation-size calculations within libpq
      (Jacob Champion)

      Several places in libpq were not sufficiently careful about computing
      the required size of a memory allocation. Sufficiently large inputs
      could cause integer overflow, resulting in an undersized buffer, which
      would then lead to writing past the end of the buffer. (CVE-2025-12818)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/16/release-16-11.html.

  * d/postgresql-16.NEWS: Update NEWS file.

 -- Athos Ribeiro <email address hidden> Mon, 24 Nov 2025 09:58:56 -0300

  postgresql-16 (16.10-0ubuntu0.24.04.1) noble-security; urgency=medium

  * New upstream version (LP: #2112531).

    + A dump/restore is not required for those running 16.X.

    + However, if you have any BRIN numeric_minmax_multi_ops indexes, it is
      advisable to reindex them after updating. Keep reading for further
      information.

    + Also, if you are upgrading from a version earlier than 16.9, see those
      release notes as well please.

    + Tighten security checks in planner estimation functions (Dean Rasheed)

      The fix for CVE-2017-7484, plus followup fixes, intended to prevent
      leaky functions from being applied to statistics data for columns that
      the calling user does not have permission to read. Two gaps in that
      protection have been found. One gap applies to partitioning and
      inheritance hierarchies where RLS policies on the tables should restrict
      access to statistics data, but did not.

      The other gap applies to cases where the query accesses a table via a
      view, and the view owner has permissions to read the underlying table
      but the calling user does not have permissions on the view. The view
      owner's permissions satisfied the security checks, and the leaky
      function would get applied to the underlying table's statistics before
      we check the calling user's permissions on the view. This has been fixed
      by making security checks on views occur at the start of planning. That
      might cause permissions failures to occur earlier than before.
      (CVE-2025-8713)

    + Prevent pg_dump scripts from being used to attack the user running the
      restore (Nathan Bossart)

      Since dump/restore operations typically involve running SQL commands as
      superuser, the target database installation must trust the source
      server. However, it does not follow that the operating system user who
      executes psql to perform the restore should have to trust the source
      server. The risk here is that an attacker who has gained superuser-level
      control over the source server might be able to cause it to emit text
      that would be interpreted as psql meta-commands. That would provide
      shell-level access to the restoring user's own account, independently of
      access to the target database.

      To provide a positive guarantee that this can't happen, extend psql with
      a \restrict command that prevents execution of further meta-commands,
      and teach pg_dump to issue that before any data coming from the source
      server. (CVE-2025-8714)

    + Convert newlines to spaces in names included in comments in pg_dump
      output (Noah Misch)

      Object names containing newlines offered the ability to inject arbitrary
      SQL commands into the output script. (Without the preceding fix,
      injection of psql meta-commands would also be possible this way.)
      CVE-2012-0868 fixed this class of problem at the time, but later work
      reintroduced several cases. (CVE-2025-8715)

    + Fix incorrect distance calculation in BRIN numeric_minmax_multi_ops
      support function (Peter Eisentraut, Tom Lane)

      The results were sometimes wrong on 64-bit platforms, and wildly wrong
      on 32-bit platforms. This did not produce obvious failures because the
      logic is only used to choose how to merge values into ranges; at worst
      the index would become inefficient and bloated. Nonetheless it's
      recommended to reindex any BRIN indexes that use the
      numeric_minmax_multi_ops operator class.

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/16/release-16-10.html.

  * d/postgresql-16.NEWS: Update.

  * d/p/hurd-iovec: drop patch applied upstream.

 -- Athos Ribeiro <email address hidden> Mon, 25 Aug 2025 17:36:09 -0300

  postgresql-16 (16.9-0ubuntu0.24.04.1) noble-security; urgency=medium

  * New upstream version (LP: #2110377).

    + A dump/restore is not required for those running 16.X.

    + However, if you have any self-referential foreign key constraints on
      partitioned tables, it may be necessary to recreate those constraints to
      ensure that they are being enforced correctly. Follow the steps below to
      do so.

    + Also, if you have any BRIN bloom indexes, it may be advisable to reindex
      them after updating. Follow the steps below to do so.

    + Also, if you are upgrading from a version earlier than 16.5, see those
      release notes as well please.

    + Avoid one-byte buffer overread when examining invalidly-encoded strings
      that are claimed to be in GB18030 encoding (Noah Misch, Andres Freund)

      While unlikely, a SIGSEGV crash could occur if an incomplete multibyte
      character appeared at the end of memory. This was possible both in the
      server and in libpq-using applications. (CVE-2025-4207)

    + Handle self-referential foreign keys on partitioned tables correctly
      (Álvaro Herrera)

      Creating or attaching partitions failed to make the required catalog
      entries for a foreign-key constraint, if the table referenced by the
      constraint was the same partitioned table. This resulted in failure to
      enforce the constraint fully.

      To fix this, you should drop and recreate any self-referential foreign
      keys on partitioned tables, if partitions have been created or attached
      since the constraint was created. Bear in mind that violating rows might
      already be present, in which case recreating the constraint will fail,
      and you'll need to fix up those rows before trying again.

    + Avoid data loss when merging compressed BRIN summaries in
      brin_bloom_union() (Tomas Vondra)

      The code failed to account for decompression results not being identical
      to the input objects, which would result in failure to add some of the
      data to the merged summary, leading to missed rows in index searches.

      This mistake was present back to v14 where BRIN bloom indexes were
      introduced, but this code path was only rarely reached then. It's
      substantially more likely to be hit in v17 because parallel index builds
      now use the code.

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/16/release-16-9.html.

  * d/postgresql-16.NEWS: Update.

 -- Athos Ribeiro <email address hidden> Sun, 11 May 2025 06:29:41 -0300

  postgresql-16 (16.8-0ubuntu0.24.04.1) noble-security; urgency=medium

  * New upstream version (LP: #2099900).

    + This release encompasses changes from upstream's 16.7 and 16.8
      releases. The former contains fixes for CVE-2025-1094 (among other
      things), and the latter was a hotfix for a problem caused by the CVE
      fix from 16.7.

    + A dump/restore is not required for those running 16.X.

    + However, if you are upgrading from a version earlier than 16.5, see
      those release notes as well please.

    + Harden PQescapeString and allied functions against invalidly-encoded
      input strings (Andres Freund, Noah Misch)

      Data-quoting functions supplied by libpq now fully check the encoding
      validity of their input. If invalid characters are detected, they report
      an error if possible. For the ones that lack an error return convention,
      the output string is adjusted to ensure that the server will report
      invalid encoding and no intervening processing will be fooled by bytes
      that might happen to match single quote, backslash, etc.

      The purpose of this change is to guard against SQL-injection attacks
      that are possible if one of these functions is used to quote crafted
      input. There is no hazard when the resulting string is sent directly to
      a PostgreSQL server (which would check its encoding anyway), but there
      is a risk when it is passed through psql or other client-side code.
      Historically such code has not carefully vetted encoding, and in many
      cases it's not clear what it should do if it did detect such a problem.

      This fix is effective only if the data-quoting function, the server, and
      any intermediate processing agree on the character encoding that's being
      used. Applications that insert untrusted input into SQL commands should
      take special care to ensure that that's true.

      Applications and drivers that quote untrusted input without using these
      libpq functions may be at risk of similar problems. They should first
      confirm the data is valid in the encoding expected by the server.

      The PostgreSQL Project thanks Stephen Fewer for reporting this problem.
      (CVE-2025-1094)

    + Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane)

      The changes made for CVE-2025-1094 had one serious oversight:
      PQescapeLiteral() and PQescapeIdentifier() failed to honor their string
      length parameter, instead always reading to the input string's trailing
      null. This resulted in including unwanted text in the output, if the
      caller intended to truncate the string via the length parameter. With
      very bad luck it could cause a crash due to reading off the end of
      memory.

      In addition, modify all these quoting functions so that when invalid
      encoding is detected, an invalid sequence is substituted for just the
      first byte of the presumed character, not all of it. This reduces the
      risk of problems if a calling application performs additional processing
      on the quoted string.

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/16/release-16-7.html and
      https://www.postgresql.org/docs/16/release-16-8.html.

  * d/postgresql-16.NEWS: Update.

 -- Athos Ribeiro <email address hidden> Mon, 24 Feb 2025 12:40:53 -0300