UbuntuUpdates.org

Package "postgresql-18"

Name: postgresql-18

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • PostgreSQL C client library - OAuth flow
  • development files for PostgreSQL 18 server-side programming
Latest version: 18.4-0ubuntu0.26.04.1
Release: resolute (26.04)
Level: security
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "postgresql-18" in Resolute

Repository Area Version
base main 18.3-1
base universe 18.3-1
security main 18.4-0ubuntu0.26.04.1
updates main 18.4-0ubuntu0.26.04.1
updates universe 18.4-0ubuntu0.26.04.1
PPA: Postgresql 18.4-1.pgdg22.04+1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 18.4-0ubuntu0.26.04.1 2026-05-21 22:07:41 UTC

  postgresql-18 (18.4-0ubuntu0.26.04.1) resolute-security; urgency=medium

  * New upstream version (LP: #2152636).

    + A dump/restore is not required for those running 16.X.

    + However, if you are upgrading from a version earlier than 18.2, see
      those release notes as well please.

    + Prevent unbounded recursion while processing startup packets

      A malicious client could crash the connected backend by alternating
      rejected SSL and GSS encryption requests indefinitely. (CVE-2026-6479)

    + Fix assorted integer overflows in memory-allocation calculations

      Various places were incautious about the possibility of integer overflow
      in calculations of how much memory to allocate. Overflow would lead to
      allocating a too-small buffer which the caller would then write past the
      end of. This would at least trigger server crashes, and probably could
      be exploited for arbitrary code execution. In many but by no means all
      cases, the hazard exists only in 32-bit builds. (CVE-2026-6473)

    + Properly quote subscription names in pg_createsubscriber

      The given subscription name was inserted into SQL commands without
      quoting, so that SQL injection could be achieved in the (perhaps
      unlikely) case that the subscription name comes from an untrusted
      source. (CVE-2026-6476)

    + Properly quote object names in logical replication origin checks

      ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and
      relation names into SQL commands without quoting them, allowing
      execution of arbitrary SQL on the publisher. (CVE-2026-6638)

    + Reject over-length options in ts_headline()

      The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb
      in length, but this was not checked for. An over-length value would
      typically crash the server. (CVE-2026-6473)

    + Detect faulty input when restoring attribute MCV statistics

      The statistics restore functions were insufficiently careful about
      validating most-common-value statistics, and would accept values that
      could crash the planner later on. (CVE-2026-6575)

    + Guard against malicious time zone names in timeofday() and pg_strftime()

      A crafted time zone setting could pass % sequences to snprintf(),
      potentially causing crashes or disclosure of server memory. Another path
      to similar results was to overflow the limited-size output buffer used
      by pg_strftime(). (CVE-2026-6474)

    + When creating a multirange type, ensure the user has CREATE privilege on
      the schema specified for the multirange type

      The multirange type can be put into a different schema than its parent
      range type, but we neglected to apply the required privilege check when
      doing so. (CVE-2026-6472)

    + Use timing-safe string comparisons in authentication code

      Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking
      passwords, hashes, etc. It is not known whether the data dependency of
      those functions is usefully exploitable in any of these places, but in
      the interests of safety, replace them. (CVE-2026-6478)

    + Mark PQfn() as unsafe, and avoid using it within libpq

      For a non-integral result type, PQfn() is not passed the size of the
      output buffer, so it cannot check that the data returned by the server
      will fit. A malicious server could therefore overwrite client memory.
      This is unfixable without an API change, so mark the function as
      deprecated. Internally to libpq, use a variant version that can apply
      the missing check. (CVE-2026-6477)

    + Prevent path traversal in pg_basebackup and pg_rewind

      These applications failed to validate output file paths read from their
      input, so that a malicious source could overwrite any file writable by
      these applications. Constrain where data can be written by rejecting
      paths that are absolute or contain parent-directory references.
      (CVE-2026-6475)

    + Guard against field overflow within contrib/intarray's query_int type
      and contrib/ltree's ltxtquery type

      Parsing of these query structures did not check for overflow of 16-bit
      fields, so that construction of an invalid query tree was possible. This
      can crash the server when executing the query. (CVE-2026-6473)

    + Guard against overly long values of contrib/ltree's lquery type

      Values with more than 64K items caused internal overflows, potentially
      resulting in stack smashes or wrong answers. (CVE-2026-6473)

    + Prevent SQL injection and buffer overruns in contrib/spi

      check_foreign_key() was insufficiently careful about quoting key values,
      and also used fixed-length buffers for constructing queries. While this
      module is only meant as example code, it still shouldn't contain such
      dangerous errors. (CVE-2026-6637)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/18/release-18-4.html.

  * d/postgresql-18.NEWS: add NEWS file.

 -- Athos Ribeiro <email address hidden> Fri, 15 May 2026 05:16:50 -0300
2152636 New PostgreSQL upstream microreleases 14.23, 16.14, 17.10, and 18.4
CVE-2026-6479 Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained d
CVE-2026-6473 Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and wri
CVE-2026-6476 SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The a
CVE-2026-6638 SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL
CVE-2026-6575 Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read pa
CVE-2026-6474 Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone
CVE-2026-6472 Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, inc
CVE-2026-6478 Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to
CVE-2026-6477 Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functi
CVE-2026-6475 Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgr
CVE-2026-6637 Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user runni


About   -   Send Feedback to @ubuntu_updates