Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted postgresql-18 18.2-1 (source) into unstable
Date: Thu, 12 Feb 2026 14:35:41 +0000
Signed by: Christoph Berg <myon@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 10 Feb 2026 11:26:19 +0100
Source: postgresql-18
Architecture: source
Version: 18.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 postgresql-18 (18.2-1) unstable; urgency=medium
 .
   * New upstream version 18.2.
 .
     + Guard against unexpected dimensions of oidvector/int2vector (Tom Lane)
 .
       These data types are expected to be 1-dimensional arrays containing no
       nulls, but there are cast pathways that permit violating those
       expectations.  Add checks to some functions that were depending on those
       expectations without verifying them, and could misbehave in consequence.
 .
       The PostgreSQL Project thanks Altan Birler for reporting this problem.
       (CVE-2026-2003)
 .
     + Harden selectivity estimators against being attached to operators that
       accept unexpected data types (Tom Lane)
 .
       contrib/intarray contained a selectivity estimation function that could
       be abused for arbitrary code execution, because it did not check that
       its input was of the expected data type.  Third-party extensions should
       check for similar hazards and add defenses using the technique intarray
       now uses. Since such extension fixes will take time, we now require
       superuser privilege to attach a non-built-in selectivity estimator to an
       operator.
 .
       The PostgreSQL Project thanks Daniel Firer, as part of zeroday.cloud,
       for reporting this problem. (CVE-2026-2004)
 .
     + Fix buffer overrun in contrib/pgcrypto's PGP decryption functions
       (Michael Paquier)
 .
       Decrypting a crafted message with an overlength session key caused a
       buffer overrun, with consequences as bad as arbitrary code execution.
 .
       The PostgreSQL Project thanks Team Xint Code, as part of zeroday.cloud,
       for reporting this problem. (CVE-2026-2005)
 .
     + Fix inadequate validation of multibyte character lengths
       (Thomas Munro, Noah Misch)
 .
       Assorted bugs allowed an attacker able to issue crafted SQL to overrun
       string buffers, with consequences as bad as arbitrary code execution.
       After these fixes, applications may observe invalid byte sequence for
       encoding errors when string functions process invalid text that has been
       stored in the database.
 .
       The PostgreSQL Project thanks Paul Gerste and Moritz Sanft, as part of
       zeroday.cloud, for reporting this problem. (CVE-2026-2006)
 .
     + Harden contrib/pg_trgm against changes in string lowercasing behavior
       (Heikki Linnakangas)
 .
       Fix potential buffer overruns arising from the fact that in some locales
       lower-casing a string can produce more characters (not bytes) than were
       in the original.  That behavior is new in version 18, and so is the bug.
 .
       The PostgreSQL Project thanks Heikki Linnakangas for reporting this
       problem. (CVE-2026-2007)
 .
   * Remove pg_numa_init and LLVM 21 patches, merged upstream.
Checksums-Sha1:
 4a5bda441ce2be39e94d7f252b323696a91e8554 4752 postgresql-18_18.2-1.dsc
 fd04bd29aad83bf4a1dcc2d98950ed9aadd5d34d 22492584 postgresql-18_18.2.orig.tar.bz2
 66f2ccc708437b1f224b16072ae53396d5de3503 24220 postgresql-18_18.2-1.debian.tar.xz
Checksums-Sha256:
 0503b1027889da889922dc573f4bde10246858ba18f88f8310d0f18bd4962ac3 4752 postgresql-18_18.2-1.dsc
 5245bd1b79700d55b8e0575be0325ef61e7bbef627e6a616e4cf36ad4687be36 22492584 postgresql-18_18.2.orig.tar.bz2
 8d765faaea7827293470e23557e05bb660087b5b94cd7fc02b7d8815e0fe5ef7 24220 postgresql-18_18.2-1.debian.tar.xz
Files:
 ff43d6f125103b24632fc3b319184de0 4752 database optional postgresql-18_18.2-1.dsc
 54f31676486d31ea14ed81aa346ee15b 22492584 database optional postgresql-18_18.2.orig.tar.bz2
 2549084df46b771a49fc4a0475a92aaf 24220 database optional postgresql-18_18.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmmLUg4ACgkQTFprqxLS
p65KfQ//aLi2ImjjeoNyvXEts5F9CZxlg6LJy4xTyP+hSkefJqePqqiyfIEUIH6U
LaA/NcloEx3RZnmgMP2E2+aeTSt5HQiAy/Y8TDn85f2qwUoW6NR3ELRsKe8BXd5o
I6tolLyouOvymzwZ8QVS2eLRCS6wPIRAz9TEGqLXvjEPbcGPIvThSnZSVI6xAq63
VoDPAeEARR5dggF2LE7byHTPI45PJvi1l574vKMG/5GjcP5cUQWdkKc8ijfJmRxv
b6T/zAXqCSveyYfCn94P1pniMn0o+9VPxdiW16LBEowLOjOt+38lT6pk6HygxE1Y
JwwaJIRr0M8dS0bMySpcooIuzvG514CwACK4a9kr84Up9Y6KmpI0aAt8SmVQSfg3
Q1d323EDMeixRfqCM5t03IwvqoLBSpCDnmF1osJ4log1ocf/uIaDIxUE88Vp+n1y
GYtteG4qUiSR+xBoMQfLbuJYrDhsLZ9INPNTb0606DYGyXsbZIz9OTta76DGqj+M
YFeOyjmvq2Mpp8eCYCR0UoLPqJIxAVHj30zGpV3/zWqBRHJ3Z144aSNXGBS2841Q
KZBtehquDEmn2BoZmGkmR3BZKLpoCZWNvclGhwoNjZk7yOPmxWaFLEe0k6+jeg0F
qCT1hL9KFUC9iI6vGDkJMv4BGN57eT6iTFGPrS2OJ3SYt9mM/M8=
=sJCS
-----END PGP SIGNATURE-----
News for package postgresql-18
