Release date:
2026-05-27 11:18:48 UTC
Description:
* SECURITY UPDATE: postgresql May-2026 CVE batch
- debian/patches/CVE-2026-6473.patch: integer overflow fixes across multiple
vulnerable sites: hstore_plperl/hstore_plpython palloc sizing (mul_size),
array_agg() nitems overflow, intarray/ltxtquery findoprnd() left-offset
overflow, ltree lquery numvar/totallen overflow, and ts_headline option
length overflow.
- debian/patches/CVE-2026-6474.patch: guard pg_strftime() callers and ensure
null-terminated output on overflow, plus split timeofday() pg_strftime so
the %Z timezone string is never embedded as a format string in subsequent
snprintf().
- debian/patches/CVE-2026-6475.patch: prevent path traversal in pg_rewind
file operations via path_is_safe_for_extraction() helper.
- debian/patches/CVE-2026-6477.patch: harden PQfn()/pqFunctionCall3() against
server-controlled buffer overruns in libpq large-object interface.
- debian/patches/CVE-2026-6478.patch: add timingsafe_bcmp() helper and apply
to MD5/SCRAM/RADIUS/plain auth-paths to prevent timing-channel leaks.
- debian/patches/CVE-2026-6637.patch: switch refint contrib check_foreign_key
to StringInfo and quote_literal_cstr() to prevent SQL injection and stack
buffer overruns.
- CVE-2026-6473
- CVE-2026-6474
- CVE-2026-6475
- CVE-2026-6477
- CVE-2026-6478
- CVE-2026-6637
* debian/patches/fix-regress-tzdata-LMT.patch: refresh src/test/regress
expected output for date, timestamptz and horology tests so that they
match the LMT abbreviation emitted by current tzdata for pre-1883
America/Los_Angeles dates.
Updated packages:
-
libecpg-compat3_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:beac16dcca065d294d0a2bf3962c3d0e75d6b9ce
-
libecpg-dev_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:583529054ed82aed892c0d8861b9056216c5e695
-
libecpg6_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:4c8903504717a4c3ecfaa3f7fda7bf9d4d6435cc
-
libpgtypes3_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:aa0d241b985f93841f4423e542f7da5873ada11c
-
libpq-dev_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:d9e8bce76d4ba8aee65450015837b415107bc38b
-
libpq5_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:aea12e2fd5703c3b721df91b8e5fe7ad55e7d188
-
postgresql-10_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:d0e1929cdfd9b663a5095472aa77fa21c3a79670
-
postgresql-client-10_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:be9da97b10bb0097a6af36f1f6cda3e16395ae4f
-
postgresql-doc-10_10.23-0ubuntu0.18.04.2+tuxcare.els6_all.deb
sha:79e03e260416afbdea1cf51ba9a627a9a6dd4164
-
postgresql-plperl-10_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:c73b7d6f8dbd62158b70f290c66e56c6aff1921f
-
postgresql-plpython-10_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:d42c8fa96aecea73819ada473e5bc7fa5d9f1dfe
-
postgresql-plpython3-10_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:c843494f3969c342a5b48a9f9e359d5f0c43d4a6
-
postgresql-pltcl-10_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:d7a2b19141b4f028d089fbbefeadaf3f5a705532
-
postgresql-server-dev-10_10.23-0ubuntu0.18.04.2+tuxcare.els6_amd64.deb
sha:7595f6ba1bc2c9faae745c9ef5469194e1bfc08c
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
