-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 11 May 2026 22:57:44 +0200
Source: postgresql-17
Binary: libecpg-compat3 libecpg-compat3-dbgsym libecpg-dev libecpg-dev-dbgsym libecpg6 libecpg6-dbgsym libpgtypes3 libpgtypes3-dbgsym libpq-dev libpq5 libpq5-dbgsym postgresql-17 postgresql-17-dbgsym postgresql-client-17 postgresql-client-17-dbgsym postgresql-plperl-17 postgresql-plperl-17-dbgsym postgresql-plpython3-17 postgresql-plpython3-17-dbgsym postgresql-pltcl-17 postgresql-pltcl-17-dbgsym postgresql-server-dev-17 postgresql-server-dev-17-dbgsym
Architecture: ppc64el
Version: 17.10-0+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: ppc64el Build Daemon (ppc64el-osuosl-02) <buildd_ppc64el-ppc64el-osuosl-02@buildd.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Description:
 libecpg-compat3 - older version of run-time library for ECPG programs
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg6   - run-time library for ECPG programs
 libpgtypes3 - shared library libpgtypes for PostgreSQL 17
 libpq-dev  - header files for libpq5 (PostgreSQL library)
 libpq5     - PostgreSQL C client library
 postgresql-17 - The World's Most Advanced Open Source Relational Database
 postgresql-client-17 - front-end programs for PostgreSQL 17
 postgresql-plperl-17 - PL/Perl procedural language for PostgreSQL 17
 postgresql-plpython3-17 - PL/Python 3 procedural language for PostgreSQL 17
 postgresql-pltcl-17 - PL/Tcl procedural language for PostgreSQL 17
 postgresql-server-dev-17 - development files for PostgreSQL 17 server-side programming
Changes:
 postgresql-17 (17.10-0+deb13u1) trixie-security; urgency=medium
 .
   * New upstream version 17.10.
 .
     + Prevent unbounded recursion while processing startup packets
       (Michael Paquier)
 .
       A malicious client could crash the connected backend by alternating
       rejected SSL and GSS encryption requests indefinitely.
 .
       The PostgreSQL Project thanks Calif.io (in collaboration with Claude and
       Anthropic Research) for reporting this problem. (CVE-2026-6479)
 .
     + Fix assorted integer overflows in memory-allocation calculations
       (Tom Lane, Nathan Bossart, Heikki Linnakangas)
 .
       Various places were incautious about the possibility of integer overflow
       in calculations of how much memory to allocate.  Overflow would lead to
       allocating a too-small buffer which the caller would then write past the
       end of.  This would at least trigger server crashes, and probably could
       be exploited for arbitrary code execution.  In many but by no means all
       cases, the hazard exists only in 32-bit builds.
 .
       The PostgreSQL Project thanks Xint Code, Bruce Dang, Sven Klemm, and
       Pavel Kohout for reporting these problems. (CVE-2026-6473)
 .
     + Properly quote subscription names in pg_createsubscriber
       (Nathan Bossart)
 .
       The given subscription name was inserted into SQL commands without
       quoting, so that SQL injection could be achieved in the (perhaps
       unlikely) case that the subscription name comes from an untrusted
       source.
 .
       The PostgreSQL Project thanks Yu Kunpeng for reporting this problem.
       (CVE-2026-6476)
 .
     + Properly quote object names in logical replication origin checks
       (Pavel Kohout)
 .
       ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and
       relation names into SQL commands without quoting them, allowing
       execution of arbitrary SQL on the publisher.
 .
       The PostgreSQL Project thanks Pavel Kohout for reporting this problem.
       (CVE-2026-6638)
 .
     + Reject over-length options in ts_headline() (Michael Paquier)
 .
       The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb
       in length, but this was not checked for.  An over-length value would
       typically crash the server.
 .
       The PostgreSQL Project thanks Xint Code for reporting this problem.
       (CVE-2026-6473)
 .
     + Guard against malicious time zone names in timeofday() and pg_strftime()
       (Tom Lane)
 .
       A crafted time zone setting could pass % sequences to snprintf(),
       potentially causing crashes or disclosure of server memory.  Another
       path to similar results was to overflow the limited-size output buffer
       used by pg_strftime().
 .
       The PostgreSQL Project thanks Xint Code for reporting this problem.
       (CVE-2026-6474)
 .
     + When creating a multirange type, ensure the user has CREATE privilege on
       the schema specified for the multirange type (Jelte Fennema-Nio)
 .
       The multirange type can be put into a different schema than its parent
       range type, but we neglected to apply the required privilege check when
       doing so.
 .
       The PostgreSQL Project thanks Jelte Fennema-Nio for reporting this
       problem. (CVE-2026-6472)
 .
     + Use timing-safe string comparisons in authentication code
       (Michael Paquier)
 .
       Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking
       passwords, hashes, etc.  It is not known whether the data dependency of
       those functions is usefully exploitable in any of these places, but in
       the interests of safety, replace them.
 .
       The PostgreSQL Project thanks Joe Conway for reporting this problem.
       (CVE-2026-6478)
 .
     + Mark PQfn() as unsafe, and avoid using it within libpq (Nathan Bossart)
 .
       For a non-integral result type, PQfn() is not passed the size of the
       output buffer, so it cannot check that the data returned by the server
       will fit.  A malicious server could therefore overwrite client memory.
       This is unfixable without an API change, so mark the function as
       deprecated.  Internally to libpq, use a variant version that can apply
       the missing check.
 .
       The PostgreSQL Project thanks Yu Kunpeng and Martin Heistermann for
       reporting this problem. (CVE-2026-6477)
 .
     + Prevent path traversal in pg_basebackup and pg_rewind (Michael Paquier)
 .
       These applications failed to validate output file paths read from their
       input, so that a malicious source could overwrite any file writable by
       these applications.  Constrain where data can be written by rejecting
       paths that are absolute or contain parent-directory references.
 .
       The PostgreSQL Project thanks XlabAI Team of Tencent Xuanwu Lab and
       Valery Gubanov for reporting this problem. (CVE-2026-6475)
 .
     + Guard against field overflow within contrib/intarray's query_int type
       and contrib/ltree's ltxtquery type (Tom Lane)
 .
       Parsing of these query structures did not check for overflow of 16-bit
       fields, so that construction of an invalid query tree was possible.
       This can crash the server when executing the query.
 .
       The PostgreSQL Project thanks Xint Code for reporting this problem.
       (CVE-2026-6473)
 .
     + Guard against overly long values of contrib/ltree's lquery type
       (Michael Paquier)
 .
       Values with more than 64K items caused internal overflows, potentially
       resulting in stack smashes or wrong answers.
 .
       The PostgreSQL Project thanks Vergissmeinnicht, A1ex, and Jihe Wang for
       reporting this problem. (CVE-2026-6473)
 .
     + Prevent SQL injection and buffer overruns in contrib/spi
       (Nathan Bossart)
 .
       check_foreign_key() was insufficiently careful about quoting key values,
       and also used fixed-length buffers for constructing queries.  While this
       module is only meant as example code, it still shouldn't contain such
       dangerous errors.
 .
       The PostgreSQL Project thanks Nikolay Samokhvalov for reporting this
       problem. (CVE-2026-6637)
Checksums-Sha1:
 666adefeb9f446c6caa900a0f59597df94926de5 17788 libecpg-compat3-dbgsym_17.10-0+deb13u1_ppc64el.deb
 e27e66abf3f90370802d6eba57663a73c5c96268 21112 libecpg-compat3_17.10-0+deb13u1_ppc64el.deb
 81e98a3b99acdefbc398540a4dc2bdff2daff33f 240876 libecpg-dev-dbgsym_17.10-0+deb13u1_ppc64el.deb
 3fe8f8b22a600289440aeb8aa2940cc4372cc19f 309820 libecpg-dev_17.10-0+deb13u1_ppc64el.deb
 6172cd8a43f0f1997e79962a7c3f3786ea4f6fcc 116760 libecpg6-dbgsym_17.10-0+deb13u1_ppc64el.deb
 4ac7ddb611441ea919e99552d3082476eddedbc8 68412 libecpg6_17.10-0+deb13u1_ppc64el.deb
 a7e7410e3c1b4504ebe223ca3c4389a24219bd96 94560 libpgtypes3-dbgsym_17.10-0+deb13u1_ppc64el.deb
 8a54d6693423d6c85e8b0de99369f84aaf1c4fbb 51876 libpgtypes3_17.10-0+deb13u1_ppc64el.deb
 77a6c49100e50a9fa929ebfbfec05b5d599813ab 167496 libpq-dev_17.10-0+deb13u1_ppc64el.deb
 7b3cca0c5fb8fcffffc1b40544b21528153427fd 310848 libpq5-dbgsym_17.10-0+deb13u1_ppc64el.deb
 f55f3cf565cf7aeb02892102071c1f43a85336d4 242724 libpq5_17.10-0+deb13u1_ppc64el.deb
 3b3ecf31ff23de9711c4dc0d2c5d163c7941bb04 19499408 postgresql-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 84606e98cd7c422c8496944b87b73ef97d352f43 17477 postgresql-17_17.10-0+deb13u1_ppc64el-buildd.buildinfo
 011f68d771b9e92ed945cc5ceccb9f6a01ff46a3 16842492 postgresql-17_17.10-0+deb13u1_ppc64el.deb
 06a38d96d11719a1994400bd8514c39669c08abf 2948408 postgresql-client-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 366d07e7a5c83f8c878c14f6fee91b7ab26c2a9c 2077348 postgresql-client-17_17.10-0+deb13u1_ppc64el.deb
 435a9447f2f4c6b57575ffda40af549c3bfa1e29 202052 postgresql-plperl-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 8b783a2893235b359a9793f283e667aaee930f54 89424 postgresql-plperl-17_17.10-0+deb13u1_ppc64el.deb
 4b8927e0b7db12d73bf961e0fe5b2ef1389c31cb 200304 postgresql-plpython3-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 5144235a364e32ea5d80f8958ecdba89e846296f 112808 postgresql-plpython3-17_17.10-0+deb13u1_ppc64el.deb
 1153d60fff4df5abc13c07106dd9f6e94d834378 85348 postgresql-pltcl-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 512e85af24fdf7286f66e666e8db59d6e4b5b9a5 45916 postgresql-pltcl-17_17.10-0+deb13u1_ppc64el.deb
 1cf1d5e6f77499cf8657a3d4cea4e8eca4203683 56344 postgresql-server-dev-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 259a51f50e8a50aad303818068e6f2c80833ee69 1342304 postgresql-server-dev-17_17.10-0+deb13u1_ppc64el.deb
Checksums-Sha256:
 26079b8622c773feadc85087389550afe9d8461c56b54ca9e9f6f0aed7c945db 17788 libecpg-compat3-dbgsym_17.10-0+deb13u1_ppc64el.deb
 a1177ecb6fcbaa55dc6dd31d334d114d30a8dbd43b504a659b544b3707fd8b57 21112 libecpg-compat3_17.10-0+deb13u1_ppc64el.deb
 e78bc24393cc5b99ff9d271d53884d4ff42c8ec59adbc1d3a1edc61849f9572f 240876 libecpg-dev-dbgsym_17.10-0+deb13u1_ppc64el.deb
 bdfc1fe4e5248966a860264604dec7e26e66ba07cfdf03083ff162441ea6dc4c 309820 libecpg-dev_17.10-0+deb13u1_ppc64el.deb
 0e96551cb57898d25baea8814973fab65082b2cd55b23c0b89c75a99bd972960 116760 libecpg6-dbgsym_17.10-0+deb13u1_ppc64el.deb
 6f55360fbd979e2e04bd2ea9a7709004ce9a56038d33af788c92c0ca8c345f7f 68412 libecpg6_17.10-0+deb13u1_ppc64el.deb
 5c86e4efd23e15dd63a34b859f21469312883d3e2509f63d669ef05ee0fb4c92 94560 libpgtypes3-dbgsym_17.10-0+deb13u1_ppc64el.deb
 6fd1ebbe4feef5fa0eeb8631e47294f82ec9c71b0d559408a8239e5cf5d12877 51876 libpgtypes3_17.10-0+deb13u1_ppc64el.deb
 5f2e572d49631936451d24df18173d9e12d65eb5f1a16a519b6ec840c7d79f04 167496 libpq-dev_17.10-0+deb13u1_ppc64el.deb
 ea281b8d2b33ba8388bb4346199e8073e51c4fe5a40f08a64f1c3ed3990b737a 310848 libpq5-dbgsym_17.10-0+deb13u1_ppc64el.deb
 1ea11cc207bf41235bd9100cf670aa4c8716299dbabb395735d6e6021e41b582 242724 libpq5_17.10-0+deb13u1_ppc64el.deb
 0face54852393b4111dadce7a573c83e2df0e73ce9090896b72af3f48faf8e72 19499408 postgresql-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 1f3bea7b4922fc50b59425c2a6778295ce4b9d29c05bfc4938559a05691a7837 17477 postgresql-17_17.10-0+deb13u1_ppc64el-buildd.buildinfo
 f62f2035593a71f54ac28cf6a1239572a46d6d64cca9b76f97fd507e843edc3b 16842492 postgresql-17_17.10-0+deb13u1_ppc64el.deb
 01a592c98db37620c3112b6ef3493157c9c0fc1e931f2c1eb426474ca55dd0c3 2948408 postgresql-client-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 5ef36bca94c7f88ffbff8ebe1e3d57bed8ee3aa1bcd52f6599073918fbcada49 2077348 postgresql-client-17_17.10-0+deb13u1_ppc64el.deb
 1707495a594d380c28c7d6c339f79e7eab2d178a70caa7c4fdf2109732db9572 202052 postgresql-plperl-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 a08966c5e02dee14eab8db2634a90070d42e0db572c46d2c570c8d33ce29375a 89424 postgresql-plperl-17_17.10-0+deb13u1_ppc64el.deb
 ac312997c91c325ac83fc5f4017cc73f66f2b78cde8b66758ac84ba7a5c409a6 200304 postgresql-plpython3-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 90da2810513b66785d8028c9a0e2e3debc4dc491b025b6cd7402bbfbdc7d69a1 112808 postgresql-plpython3-17_17.10-0+deb13u1_ppc64el.deb
 7326534f084896a580ab3b0612c2f59ca12df7e254f093dec9398317697d6e3d 85348 postgresql-pltcl-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 e8687e9447b8e4f857680ac94f03864bab8ae1c84f887e12a42e109ea47918d9 45916 postgresql-pltcl-17_17.10-0+deb13u1_ppc64el.deb
 f24b77f8dd95c66598557e00ed56273bbd9796dc0bba2ccf85b4d15507e422bc 56344 postgresql-server-dev-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 c602cfe8f8d5006ca8722c0e7d08d1a883a42df4bed8af13479e17fd3c6fe17c 1342304 postgresql-server-dev-17_17.10-0+deb13u1_ppc64el.deb
Files:
 b998aa30de73f13ab4bc530610d9617a 17788 debug optional libecpg-compat3-dbgsym_17.10-0+deb13u1_ppc64el.deb
 a84226deb3072ad425ca8f4dc05a8d12 21112 libs optional libecpg-compat3_17.10-0+deb13u1_ppc64el.deb
 91155ae4c56869f8010160ea4fac7d19 240876 debug optional libecpg-dev-dbgsym_17.10-0+deb13u1_ppc64el.deb
 699b5087bf4a9a20c89603ac0dafd535 309820 libdevel optional libecpg-dev_17.10-0+deb13u1_ppc64el.deb
 56a6cb07b68dd8e59646057053338d0d 116760 debug optional libecpg6-dbgsym_17.10-0+deb13u1_ppc64el.deb
 ed500db98141dc2c068d80c1cd833254 68412 libs optional libecpg6_17.10-0+deb13u1_ppc64el.deb
 7bf23f933e60ca04375f6ba893adc438 94560 debug optional libpgtypes3-dbgsym_17.10-0+deb13u1_ppc64el.deb
 5db4c97c0409a5079a191edda58890a6 51876 libs optional libpgtypes3_17.10-0+deb13u1_ppc64el.deb
 c5bdbfa5b9f8c4e6608ea1397db78848 167496 libdevel optional libpq-dev_17.10-0+deb13u1_ppc64el.deb
 2bda078487072f0fb45d1dc923c22fbb 310848 debug optional libpq5-dbgsym_17.10-0+deb13u1_ppc64el.deb
 f9e0514792b8e0f42d5b0ab6b4953990 242724 libs optional libpq5_17.10-0+deb13u1_ppc64el.deb
 3a61c5d712a7e420e95281763a3afffb 19499408 debug optional postgresql-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 fdb9b6b6232eba5b742d958d0239dd9e 17477 database optional postgresql-17_17.10-0+deb13u1_ppc64el-buildd.buildinfo
 6d9ad77309368cb4240ab79f361b2b79 16842492 database optional postgresql-17_17.10-0+deb13u1_ppc64el.deb
 c5fc0293ae1ceda9f7330a65157f63d9 2948408 debug optional postgresql-client-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 56cc71c36d5bde51e9416a79fcc55425 2077348 database optional postgresql-client-17_17.10-0+deb13u1_ppc64el.deb
 333bdfa222bccb51830a75a0749f30f2 202052 debug optional postgresql-plperl-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 961a37f80dac5e6974d185c2a5948278 89424 database optional postgresql-plperl-17_17.10-0+deb13u1_ppc64el.deb
 96711583ef17bdd36f93224b4344cee1 200304 debug optional postgresql-plpython3-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 8ccaa9346d7180e8aae7b4dab751c923 112808 database optional postgresql-plpython3-17_17.10-0+deb13u1_ppc64el.deb
 829ce484f2eb0bca8c966b4ab60a20ef 85348 debug optional postgresql-pltcl-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 2516128f1ff7a016c1a727bc6deff70d 45916 database optional postgresql-pltcl-17_17.10-0+deb13u1_ppc64el.deb
 6d55e0325d5905d5f777ca5501db096e 56344 debug optional postgresql-server-dev-17-dbgsym_17.10-0+deb13u1_ppc64el.deb
 de95dcff36321fbee68fad0086f977f5 1342304 libdevel optional postgresql-server-dev-17_17.10-0+deb13u1_ppc64el.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9ibmwdV9gdKNbK7oV8ucRsMTpuMFAmoDPw4ACgkQV8ucRsMT
puMNsA/9EsYpMt1HVvKgtY72g/6tSskKVB4Ika4dRHtul8TLsw8IgsEawUD1B4GT
EGCh87WTrRK4ZNp5otVQr5XI8Wcx8Xp5Prk7zkWSarFDE1Hw+R0xLc5QDGi4p0xg
1UURUQV6As3GHLoxIcqIpPry5MoSwPhhuv1PtZ87XaJmeDCjn2EIkhCMCiRPb71v
3PWqLGv0ii5JcC5WvjVqwKidXOvxSoEZES6EBRRxu/NP5GKQY6Ra6a58UZvAk5ea
lSIunhjpgnSu7f2HtwbCPF7QIAuAGvJKlVoRWNZ+1lxqeHD+Ktrc+olNmMNNofw+
luevIgSKI6IdqKxnfGLOkciq1nMfiRwCh+haauWeH9JMlC3K21z2NH0IaGQEG+IH
oajy3lEIX9qQyAADlFbPsfuf0heermjr5c0WT7irA5SJMnMrTf17hwWe6Tvsceoq
ieD+9rntjdp5rSleDFvN2f7cdv4ZBiAE1I8v6hknsNmaFo/ZQheUqUgPaTPbzWZo
zjtcxvIX8Aw0++OKN4RFoxlIRk3rG24CjShk4bMKlCrK92dgyBxwu2ABOyA2pX8H
EKkQD5cJStIXAZLJ/5+wC0eBGOJF/JrtzsCut/MVgyaSRqiWWuaa/jrivkigXtRj
8PFnWEoYtz23KX0UKkQPP4e3XpzzC34WWS4JoAQ+UHgdis0HKoI=
=rcMK
-----END PGP SIGNATURE-----