-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 May 2026 22:57:44 +0200 Source: postgresql-17 Binary: postgresql-doc-17 Architecture: all Version: 17.10-0+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) Changed-By: Christoph Berg Description: postgresql-doc-17 - documentation for the PostgreSQL database management system Changes: postgresql-17 (17.10-0+deb13u1) trixie-security; urgency=medium . * New upstream version 17.10. . + Prevent unbounded recursion while processing startup packets (Michael Paquier) . A malicious client could crash the connected backend by alternating rejected SSL and GSS encryption requests indefinitely. . The PostgreSQL Project thanks Calif.io (in collaboration with Claude and Anthropic Research) for reporting this problem. (CVE-2026-6479) . + Fix assorted integer overflows in memory-allocation calculations (Tom Lane, Nathan Bossart, Heikki Linnakangas) . Various places were incautious about the possibility of integer overflow in calculations of how much memory to allocate. Overflow would lead to allocating a too-small buffer which the caller would then write past the end of. This would at least trigger server crashes, and probably could be exploited for arbitrary code execution. In many but by no means all cases, the hazard exists only in 32-bit builds. . The PostgreSQL Project thanks Xint Code, Bruce Dang, Sven Klemm, and Pavel Kohout for reporting these problems. (CVE-2026-6473) . + Properly quote subscription names in pg_createsubscriber (Nathan Bossart) . The given subscription name was inserted into SQL commands without quoting, so that SQL injection could be achieved in the (perhaps unlikely) case that the subscription name comes from an untrusted source. . The PostgreSQL Project thanks Yu Kunpeng for reporting this problem. (CVE-2026-6476) . + Properly quote object names in logical replication origin checks (Pavel Kohout) . ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and relation names into SQL commands without quoting them, allowing execution of arbitrary SQL on the publisher. . The PostgreSQL Project thanks Pavel Kohout for reporting this problem. (CVE-2026-6638) . + Reject over-length options in ts_headline() (Michael Paquier) . The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb in length, but this was not checked for. An over-length value would typically crash the server. . The PostgreSQL Project thanks Xint Code for reporting this problem. (CVE-2026-6473) . + Guard against malicious time zone names in timeofday() and pg_strftime() (Tom Lane) . A crafted time zone setting could pass % sequences to snprintf(), potentially causing crashes or disclosure of server memory. Another path to similar results was to overflow the limited-size output buffer used by pg_strftime(). . The PostgreSQL Project thanks Xint Code for reporting this problem. (CVE-2026-6474) . + When creating a multirange type, ensure the user has CREATE privilege on the schema specified for the multirange type (Jelte Fennema-Nio) . The multirange type can be put into a different schema than its parent range type, but we neglected to apply the required privilege check when doing so. . The PostgreSQL Project thanks Jelte Fennema-Nio for reporting this problem. (CVE-2026-6472) . + Use timing-safe string comparisons in authentication code (Michael Paquier) . Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking passwords, hashes, etc. It is not known whether the data dependency of those functions is usefully exploitable in any of these places, but in the interests of safety, replace them. . The PostgreSQL Project thanks Joe Conway for reporting this problem. (CVE-2026-6478) . + Mark PQfn() as unsafe, and avoid using it within libpq (Nathan Bossart) . For a non-integral result type, PQfn() is not passed the size of the output buffer, so it cannot check that the data returned by the server will fit. A malicious server could therefore overwrite client memory. This is unfixable without an API change, so mark the function as deprecated. Internally to libpq, use a variant version that can apply the missing check. . The PostgreSQL Project thanks Yu Kunpeng and Martin Heistermann for reporting this problem. (CVE-2026-6477) . + Prevent path traversal in pg_basebackup and pg_rewind (Michael Paquier) . These applications failed to validate output file paths read from their input, so that a malicious source could overwrite any file writable by these applications. Constrain where data can be written by rejecting paths that are absolute or contain parent-directory references. . The PostgreSQL Project thanks XlabAI Team of Tencent Xuanwu Lab and Valery Gubanov for reporting this problem. (CVE-2026-6475) . + Guard against field overflow within contrib/intarray's query_int type and contrib/ltree's ltxtquery type (Tom Lane) . Parsing of these query structures did not check for overflow of 16-bit fields, so that construction of an invalid query tree was possible. This can crash the server when executing the query. . The PostgreSQL Project thanks Xint Code for reporting this problem. (CVE-2026-6473) . + Guard against overly long values of contrib/ltree's lquery type (Michael Paquier) . Values with more than 64K items caused internal overflows, potentially resulting in stack smashes or wrong answers. . The PostgreSQL Project thanks Vergissmeinnicht, A1ex, and Jihe Wang for reporting this problem. (CVE-2026-6473) . + Prevent SQL injection and buffer overruns in contrib/spi (Nathan Bossart) . check_foreign_key() was insufficiently careful about quoting key values, and also used fixed-length buffers for constructing queries. While this module is only meant as example code, it still shouldn't contain such dangerous errors. . The PostgreSQL Project thanks Nikolay Samokhvalov for reporting this problem. (CVE-2026-6637) Checksums-Sha1: 6e6d09d95b76fc57433de36c2491d09013a87e50 10349 postgresql-17_17.10-0+deb13u1_all-buildd.buildinfo 33498f9caf06c645c7682f5a34934745e0250298 2165644 postgresql-doc-17_17.10-0+deb13u1_all.deb Checksums-Sha256: ff985495dc53d39e1562124b89fee965fed22b8b8c2746f4b8672be35f4499a0 10349 postgresql-17_17.10-0+deb13u1_all-buildd.buildinfo 843a276c76e6b76b252eb53f9c25a6b8d307c8ec49198c2d6325b2e9d22c7f25 2165644 postgresql-doc-17_17.10-0+deb13u1_all.deb Files: 325b548f259b19ab0e5d9a21bdd501ff 10349 database optional postgresql-17_17.10-0+deb13u1_all-buildd.buildinfo bfcfffd86c5a12418b79ac4fef06087f 2165644 doc optional postgresql-doc-17_17.10-0+deb13u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5ZI1lXv5WjhHIVjsN8Ugyu9dQiQFAmoDNx4ACgkQN8Ugyu9d QiShNBAAggLlx/w5MYw6vyix815TD7ryzKzdNbKemPrjVIqUyGs/UrVbmxedVMQh 3rS+oHb+nkTrKT5nO2N7jAPk/RdcqO5182u5hqzUH5ixtfbENd1CqbjMStuukLq7 JKti9++w2dcYTpHrEzfV4ZzIEsr9ye6r0TB/kdewuui2oYyQ52cVGYQ1Uc3USOe2 LmXIXlTQf8ziwST/Cd6CZtYiCHrATEL6zbGddx9cvTiDZqjNstEbUZTA0agUhWvB 05EO2FRuht8ELOgGcA1M86+oqkJABEYt8LDB0SNxCZUZe0P1r+URmukNaBSv9wIh wMAKwdOkdAVxftSBLq3rchlIOBIs5DhHncgmWEfunZfvHVEQ4FksIAKHzQitr25f fBnI0XTlxd9AnwmqqEVpZ3DB1oIrJwKtt3n15PR2B6d4atWrAzVWFrmKbnlfJrOg 2ZWF+00xhEWjstW9QHFjgLgyFqnNzSj6kybZpnuh3Y0eJwrds0tN0L1Yq3OE4/OB ZGJc74Sgor8uOGl53WIDIOfsHCY/jm8nIYXGvTuMVNx9m8Fx4Z2LDa3Jy0DyC/Ww va8h8GHOMVp65ciDaB2saw+1XhJJCOWfsmKukkgDk8ZwqjHO3+E7yPJZHT6K+HCC SxD7YViNYaLUeF0DG4V9ZUrjI4AwG0AwpqWsodxZB3pAEjWan0A= =cItl -----END PGP SIGNATURE-----