-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 10 Feb 2026 11:50:28 +0100
Source: postgresql-15
Built-For-Profiles: nocheck
Architecture: source
Version: 15.16-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
postgresql-15 (15.16-0+deb12u1) bookworm-security; urgency=medium
.
* New upstream version 15.16.
.
+ Guard against unexpected dimensions of oidvector/int2vector (Tom Lane)
.
These data types are expected to be 1-dimensional arrays containing no
nulls, but there are cast pathways that permit violating those
expectations. Add checks to some functions that were depending on those
expectations without verifying them, and could misbehave in consequence.
.
The PostgreSQL Project thanks Altan Birler for reporting this problem.
(CVE-2026-2003)
.
+ Harden selectivity estimators against being attached to operators that
accept unexpected data types (Tom Lane)
.
contrib/intarray contained a selectivity estimation function that could
be abused for arbitrary code execution, because it did not check that
its input was of the expected data type. Third-party extensions should
check for similar hazards and add defenses using the technique intarray
now uses. Since such extension fixes will take time, we now require
superuser privilege to attach a non-built-in selectivity estimator to an
operator.
.
The PostgreSQL Project thanks Daniel Firer, as part of zeroday.cloud,
for reporting this problem. (CVE-2026-2004)
.
+ Fix buffer overrun in contrib/pgcrypto's PGP decryption functions
(Michael Paquier)
.
Decrypting a crafted message with an overlength session key caused a
buffer overrun, with consequences as bad as arbitrary code execution.
.
The PostgreSQL Project thanks Team Xint Code, as part of zeroday.cloud,
for reporting this problem. (CVE-2026-2005)
.
+ Fix inadequate validation of multibyte character lengths
(Thomas Munro, Noah Misch)
.
Assorted bugs allowed an attacker able to issue crafted SQL to overrun
string buffers, with consequences as bad as arbitrary code execution.
After these fixes, applications may observe invalid byte sequence for
encoding errors when string functions process invalid text that has been
stored in the database.
.
The PostgreSQL Project thanks Paul Gerste and Moritz Sanft, as part of
zeroday.cloud, for reporting this problem. (CVE-2026-2006)
Checksums-Sha1:
c1552fb34bdaf12a0f1d544edf260cbbbc3c1a59 3942 postgresql-15_15.16-0+deb12u1.dsc
85494a48fcdeaf8a101af33599b4c93ceb244ab3 23350381 postgresql-15_15.16.orig.tar.bz2
bbdec3bbc99582e2e5421fa3274edf51ba59edda 30176 postgresql-15_15.16-0+deb12u1.debian.tar.xz
Checksums-Sha256:
04fb4798890e19df8cea289e6efbc709b761b1b13b56755712ba04f9b0d79da6 3942 postgresql-15_15.16-0+deb12u1.dsc
695ee29a77be1f5010e10f3667696f29871587f7aa311eadc1f809bea287cf48 23350381 postgresql-15_15.16.orig.tar.bz2
4e9b1eb2567f9ee11512cdb490d77372526a43cccf8970e9ee5b6cc83da2854f 30176 postgresql-15_15.16-0+deb12u1.debian.tar.xz
Files:
e4e6b5037bb68ef60d8b81574c243eb9 3942 database optional postgresql-15_15.16-0+deb12u1.dsc
c42ad5b6c1f8ba6164630dc88b8d6741 23350381 database optional postgresql-15_15.16.orig.tar.bz2
da431c729cef488b2f9c985f08b31bf1 30176 database optional postgresql-15_15.16-0+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmmLUr0ACgkQTFprqxLS
p66NuhAAjtZ4dnOQb2M5CTkXQyLOY633UL6NEW5q7G5WJSR75WSxqimhpEvMJLlN
zqnfZ7gVddL1JXthWN5jOHE/Ln0Z5vmeS/IscOxyMPEQNcyX/XsCD5GFIsMtSEQ+
6UUjOUG6U4l0HWdh+dQW1hXzcsDoh8Y0bGUgO2pDk5KuSPnRnOFXNllOV1rb8KDa
zveYDl3F4p4JsS9FIz/R00lWEXh510yJk5eGenoGatjl122gOhxaSwnR+l1mOvg4
uk0tk8fJ7aa/CUHjMkByoZxSp36De5zHrtiFfSIHkv2MNWUMjq9SJq8s8u0CKE36
3o1oGuNIgyoVwejj4dDR3nSeXJwc1GDvvk7ow0rJf1rvevoKhmSjAWTk5/v9/MbX
uFww4tJmD2Z6pZS+0jYNjb/F0d1talrDfanaoVLe0NpjiY4lMHdI72nydURW1omR
yYCXLuFo1K7EmyfZeeLBeSN68IckSNMTRVtEqVSsz+TvQ89pC/ufch4ToNqOdkdl
oMSNhBfJHxXonUV73rrKjwizSvbMXipF8CiacVprVOp2HTxK+JAA20Nfb5Y6+psB
dqVQpcNE7TntUsrqErNP1T/+CCr+zGagjAfy9xkgf0YN0y3TSUEKeZQyS3J/52G3
wBDuHCGDmUef7lvKkQa6iM4SWnMKWcsZi2lEdDcji/VVlmMYFbU=
=clAh
-----END PGP SIGNATURE-----
