Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted postgresql-17 17.8-0+deb13u1 (source) into proposed-updates
Date: Thu, 19 Feb 2026 23:04:37 +0000
Signed by: Christoph Berg <myon@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 10 Feb 2026 11:26:19 +0100
Source: postgresql-17
Built-For-Profiles: nocheck
Architecture: source
Version: 17.8-0+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 postgresql-17 (17.8-0+deb13u1) trixie-security; urgency=medium
 .
   * New upstream version 17.8.
 .
     + Guard against unexpected dimensions of oidvector/int2vector (Tom Lane)
 .
       These data types are expected to be 1-dimensional arrays containing no
       nulls, but there are cast pathways that permit violating those
       expectations.  Add checks to some functions that were depending on those
       expectations without verifying them, and could misbehave in consequence.
 .
       The PostgreSQL Project thanks Altan Birler for reporting this problem.
       (CVE-2026-2003)
 .
     + Harden selectivity estimators against being attached to operators that
       accept unexpected data types (Tom Lane)
 .
       contrib/intarray contained a selectivity estimation function that could
       be abused for arbitrary code execution, because it did not check that
       its input was of the expected data type.  Third-party extensions should
       check for similar hazards and add defenses using the technique intarray
       now uses. Since such extension fixes will take time, we now require
       superuser privilege to attach a non-built-in selectivity estimator to an
       operator.
 .
       The PostgreSQL Project thanks Daniel Firer, as part of zeroday.cloud,
       for reporting this problem. (CVE-2026-2004)
 .
     + Fix buffer overrun in contrib/pgcrypto's PGP decryption functions
       (Michael Paquier)
 .
       Decrypting a crafted message with an overlength session key caused a
       buffer overrun, with consequences as bad as arbitrary code execution.
 .
       The PostgreSQL Project thanks Team Xint Code, as part of zeroday.cloud,
       for reporting this problem. (CVE-2026-2005)
 .
     + Fix inadequate validation of multibyte character lengths
       (Thomas Munro, Noah Misch)
 .
       Assorted bugs allowed an attacker able to issue crafted SQL to overrun
       string buffers, with consequences as bad as arbitrary code execution.
       After these fixes, applications may observe invalid byte sequence for
       encoding errors when string functions process invalid text that has been
       stored in the database.
 .
       The PostgreSQL Project thanks Paul Gerste and Moritz Sanft, as part of
       zeroday.cloud, for reporting this problem. (CVE-2026-2006)
Checksums-Sha1:
 13a56192519c43198bc0df3142edaba597150705 4515 postgresql-17_17.8-0+deb13u1.dsc
 3932e2bca59a129d61bf0a545d604843e771eb49 21637088 postgresql-17_17.8.orig.tar.bz2
 c802e78930b2d6c83840e8c6724129e17ebe6281 29540 postgresql-17_17.8-0+deb13u1.debian.tar.xz
Checksums-Sha256:
 ed1dfa21a7444e35c93b5925c15bb9fb17ffcd1250f35e9fba6432b691e07041 4515 postgresql-17_17.8-0+deb13u1.dsc
 a88d195dd93730452d0cfa1a11896720d6d1ba084bc2be7d7fc557fa4e4158a0 21637088 postgresql-17_17.8.orig.tar.bz2
 561c09dfb5f5e282790acf511bcb882c3827c83009397ab9b29a36871bfea5e0 29540 postgresql-17_17.8-0+deb13u1.debian.tar.xz
Files:
 7f0ef7af9dc2cc1f2f4957fdb111eea5 4515 database optional postgresql-17_17.8-0+deb13u1.dsc
 c045db1c921592960ffc4aafdfc4537c 21637088 database optional postgresql-17_17.8.orig.tar.bz2
 38992451d21cb99c8afea2f031e8e10c 29540 database optional postgresql-17_17.8-0+deb13u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmmLUYUACgkQTFprqxLS
p64Qjw/9H08zEzhwx8OTcMUHELaseeskjMIccgsHhjSbfHmktBF2dXukt4ZshvFf
ocT81Mcp0zsueq6tRCAiW7jEXeDHdBJQmWugvczDHq1rVmyrcHIoBq6bKGlhPsBO
IxS9f/dm4FbO+qRW/DVmNsVJKBIQAr+jpasApgv5j3iR/MhhUMT2XnlCr2pEfSi2
+qsyPpi/HWnWvb+WiLkZqECro+DuBaEFmC5iIWj0ePU8N4BrIEh318mKcIej0PBg
xg9NyRwe4LEE772F1zUdf2hlXF4OsI8KF4uNNvGS1Qz1Bti7wZm9CU+n65/NEW0O
kxMbKXycvkbavUlcuSPHHKLcdnix/30trA774jrpuwE68QaTe7yHC+yG86abYoEY
LGNW+Jlbk8ReBek5/ccoM7l0t8b54/B8APqML5vN/AxoqC8t7AWsyY7dwvZkjDJ6
6SjKXfaW9aAsyVJU3HQO+OTJVYHFuZK5uqy5qJZyRBE/7EiCoNr69aXp3+OAot3M
FY8NU2qGUtnKJ0jHyviZReO6Mb/uhXyE/FOFAmDWsejKtVaIy8u9yxONbZ7es2nW
4S7kGokHc2FcP9NrOyti82G3p+mfMclZ9n5ctA0WnbXaqXZkIU7uoQHYBjFesUoY
KOQV6aRJ3RbfpRJPYXo0AMiHl2QE+BmBz9mgYs4+ctDCz3mD0pc=
=+7lN
-----END PGP SIGNATURE-----
News for package postgresql-17
