-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 May 2026 22:57:44 +0200
Source: postgresql-17
Architecture: source
Version: 17.10-0+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
postgresql-17 (17.10-0+deb13u1) trixie-security; urgency=medium
.
* New upstream version 17.10.
.
+ Prevent unbounded recursion while processing startup packets
(Michael Paquier)
.
A malicious client could crash the connected backend by alternating
rejected SSL and GSS encryption requests indefinitely.
.
The PostgreSQL Project thanks Calif.io (in collaboration with Claude and
Anthropic Research) for reporting this problem. (CVE-2026-6479)
.
+ Fix assorted integer overflows in memory-allocation calculations
(Tom Lane, Nathan Bossart, Heikki Linnakangas)
.
Various places were incautious about the possibility of integer overflow
in calculations of how much memory to allocate. Overflow would lead to
allocating a too-small buffer which the caller would then write past the
end of. This would at least trigger server crashes, and probably could
be exploited for arbitrary code execution. In many but by no means all
cases, the hazard exists only in 32-bit builds.
.
The PostgreSQL Project thanks Xint Code, Bruce Dang, Sven Klemm, and
Pavel Kohout for reporting these problems. (CVE-2026-6473)
.
+ Properly quote subscription names in pg_createsubscriber
(Nathan Bossart)
.
The given subscription name was inserted into SQL commands without
quoting, so that SQL injection could be achieved in the (perhaps
unlikely) case that the subscription name comes from an untrusted
source.
.
The PostgreSQL Project thanks Yu Kunpeng for reporting this problem.
(CVE-2026-6476)
.
+ Properly quote object names in logical replication origin checks
(Pavel Kohout)
.
ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and
relation names into SQL commands without quoting them, allowing
execution of arbitrary SQL on the publisher.
.
The PostgreSQL Project thanks Pavel Kohout for reporting this problem.
(CVE-2026-6638)
.
+ Reject over-length options in ts_headline() (Michael Paquier)
.
The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb
in length, but this was not checked for. An over-length value would
typically crash the server.
.
The PostgreSQL Project thanks Xint Code for reporting this problem.
(CVE-2026-6473)
.
+ Guard against malicious time zone names in timeofday() and pg_strftime()
(Tom Lane)
.
A crafted time zone setting could pass % sequences to snprintf(),
potentially causing crashes or disclosure of server memory. Another
path to similar results was to overflow the limited-size output buffer
used by pg_strftime().
.
The PostgreSQL Project thanks Xint Code for reporting this problem.
(CVE-2026-6474)
.
+ When creating a multirange type, ensure the user has CREATE privilege on
the schema specified for the multirange type (Jelte Fennema-Nio)
.
The multirange type can be put into a different schema than its parent
range type, but we neglected to apply the required privilege check when
doing so.
.
The PostgreSQL Project thanks Jelte Fennema-Nio for reporting this
problem. (CVE-2026-6472)
.
+ Use timing-safe string comparisons in authentication code
(Michael Paquier)
.
Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking
passwords, hashes, etc. It is not known whether the data dependency of
those functions is usefully exploitable in any of these places, but in
the interests of safety, replace them.
.
The PostgreSQL Project thanks Joe Conway for reporting this problem.
(CVE-2026-6478)
.
+ Mark PQfn() as unsafe, and avoid using it within libpq (Nathan Bossart)
.
For a non-integral result type, PQfn() is not passed the size of the
output buffer, so it cannot check that the data returned by the server
will fit. A malicious server could therefore overwrite client memory.
This is unfixable without an API change, so mark the function as
deprecated. Internally to libpq, use a variant version that can apply
the missing check.
.
The PostgreSQL Project thanks Yu Kunpeng and Martin Heistermann for
reporting this problem. (CVE-2026-6477)
.
+ Prevent path traversal in pg_basebackup and pg_rewind (Michael Paquier)
.
These applications failed to validate output file paths read from their
input, so that a malicious source could overwrite any file writable by
these applications. Constrain where data can be written by rejecting
paths that are absolute or contain parent-directory references.
.
The PostgreSQL Project thanks XlabAI Team of Tencent Xuanwu Lab and
Valery Gubanov for reporting this problem. (CVE-2026-6475)
.
+ Guard against field overflow within contrib/intarray's query_int type
and contrib/ltree's ltxtquery type (Tom Lane)
.
Parsing of these query structures did not check for overflow of 16-bit
fields, so that construction of an invalid query tree was possible.
This can crash the server when executing the query.
.
The PostgreSQL Project thanks Xint Code for reporting this problem.
(CVE-2026-6473)
.
+ Guard against overly long values of contrib/ltree's lquery type
(Michael Paquier)
.
Values with more than 64K items caused internal overflows, potentially
resulting in stack smashes or wrong answers.
.
The PostgreSQL Project thanks Vergissmeinnicht, A1ex, and Jihe Wang for
reporting this problem. (CVE-2026-6473)
.
+ Prevent SQL injection and buffer overruns in contrib/spi
(Nathan Bossart)
.
check_foreign_key() was insufficiently careful about quoting key values,
and also used fixed-length buffers for constructing queries. While this
module is only meant as example code, it still shouldn't contain such
dangerous errors.
.
The PostgreSQL Project thanks Nikolay Samokhvalov for reporting this
problem. (CVE-2026-6637)
Checksums-Sha1:
4502b7febc4671e55bd8943137588564a8b9d6fe 4522 postgresql-17_17.10-0+deb13u1.dsc
92c887e0c9cd4645b6c4d06ec6d10fcda684c78f 21664720 postgresql-17_17.10.orig.tar.bz2
196a74491de3f1d5c797a1a09f6cf28532048e7d 31488 postgresql-17_17.10-0+deb13u1.debian.tar.xz
Checksums-Sha256:
5bc74b90b27b78101b93d04645fc5db8671713ae88b4836decacc7204464b708 4522 postgresql-17_17.10-0+deb13u1.dsc
078a03516dcdbdb705fecaf415ea3d13a956c589e46f09fed68a06fb00598c90 21664720 postgresql-17_17.10.orig.tar.bz2
fa9f5903f1b0ad94a07c50f1d2997419ef6e8cbc7dd27b651060b7e19f630392 31488 postgresql-17_17.10-0+deb13u1.debian.tar.xz
Files:
4713900d6bcdb59934048e00f6620b68 4522 database optional postgresql-17_17.10-0+deb13u1.dsc
c3b03cf52632c13b067647115d1f0dbc 21664720 database optional postgresql-17_17.10.orig.tar.bz2
1b207d881714ac5de066535e76261a6f 31488 database optional postgresql-17_17.10-0+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmoDMiUACgkQTFprqxLS
p65c0w//TEr6+6L8K6n2imvo609hvCijPO5rCKZCJ8hThUPiSmNAwTBsa6r6odSp
fqYgG38V2zYaf/pd+DvIZdmbx+vPNgMYm0R9vs+1hSQKHjNMnOvKugA2w3RsHTE/
xxholPqpwuuFfP4sw+8Pq8HzVXIM7ZgvBjAdyEFZw8pMIr5k9f8MAd7TmiUvOOoZ
u8CFtiYfCPKuQmGNPejS0wkxlIPrBUULo/kbpXsG4RpYgzjXDIE/G4RChKOqJUHL
vRJx/rjBmVq//ORvbMCv89D9/rzmb8dWB5Xq4mgiP/CHZJCU9PMH8dZhcnMRdFJf
2FrPuvewBcjH07jg7JA+4AFTGMGbU0n3Kpx0i0EPtOyBQJk6+rASALrD+PppLI+H
W3UXZMK3wHaZZh99xLNrTs1tx8RaEUISYF5dy8aSxHJzqGjbD5wKIHQFncgRM/Pz
Mlo9ZrUpy5ixQLQsTzqogzb+vg3TEmtj2W1LjyyaNqdi8Qr8xCe9c7H5+GOnJkip
ZkbriNNwThLj31/TTuDoX9Wy6hzSjIpeuXcl3BOTUG/OsrgVx8JhqCqZG+kbw42j
abnmwtV4e7liOnF0ewCrACTSU6vKftX4TRvmBGy+3ulSvoGd8WNTZw73643gej00
adxPPVPlNtxRRCHinZOzYNAPUTX8nFVwzsv2n7CXYMXVJ+1VGvg=
=pL0n
-----END PGP SIGNATURE-----
