Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted postgresql-13 13.23-0+deb11u4 (source) into oldoldstable-security
Date: Wed, 24 Jun 2026 15:30:14 +0000
Signed by: Emmanuel Arias <eamanu@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 10 Jun 2026 00:14:44 -0300
Source: postgresql-13
Architecture: source
Version: 13.23-0+deb11u4
Distribution: bullseye-security
Urgency: high
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Emmanuel Arias <eamanu@debian.org>
Changes:
 postgresql-13 (13.23-0+deb11u4) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * Apply upstream fix for CVE-2026-6637: Maliciously crafted key
     value updates could achieve SQL injection within check_foreign_key().
   * Apply upstream fix for CVE-2026-6479: The handling of SSL and
     GSS negotiation messages in ProcessStartupPacket() could cause a
     recursion of the backend, ultimately crashing the server as the
     negotiation attempts were not tracked across multiple calls processing
     startup packets.
   * Apply upstream fix for CVE-2026-6478: Applies timingsafe_bcmp() to
     authentication paths that handle attributes or data previously compared
     with memcpy() or strcmp(), which are sensitive to timing attacks.
   * Apply upstream fix for CVE-2026-6477: Mark PQfn() unsafe and fix overrun
     in frontend LO interface.
   * Apply upstream fix for CVE-2026-6475: Prevent path traversal in
     pg_basebackup and pg_rewind.
   * Apply upstream fix for CVE-2026-6474: Guard against unsafe conditions in
     usage of pg_strftime().
   * Apply upstream fix for CVE-2026-6473: Integer wraparound in multiple
     PostgreSQL server features allows an unprivileged database user to cause
     the server to undersize an allocation and write out-of-bounds.
Checksums-Sha1:
 83e82be97a96afd69f0bd27a0ea8c56cbfcad1b1 3731 postgresql-13_13.23-0+deb11u4.dsc
 d38edeb7cb9f8608073cb64428c0a706748da3fb 128344 postgresql-13_13.23-0+deb11u4.debian.tar.xz
 1527ce17b37a5f8c1c51acd7332a70fb8370fb5c 17192 postgresql-13_13.23-0+deb11u4_amd64.buildinfo
Checksums-Sha256:
 cf778d90a220b3c6ee8d7ba392e7c4bfce386d91f94c2724129dea645109a407 3731 postgresql-13_13.23-0+deb11u4.dsc
 b965a5044e0f8756889560b71a227746701501bfc01b14a3a502eae3ef365ce3 128344 postgresql-13_13.23-0+deb11u4.debian.tar.xz
 5f137a2fb8d860977dda1b1d47b878e8b0cc2533dcbe7b7435c3fbf0ff50b59e 17192 postgresql-13_13.23-0+deb11u4_amd64.buildinfo
Files:
 33ef7e3295380ed3e291669ebb74849a 3731 database optional postgresql-13_13.23-0+deb11u4.dsc
 ddb04b81808cfc55fdd99662f5c2fe40 128344 database optional postgresql-13_13.23-0+deb11u4.debian.tar.xz
 b020f8c2658253ce0119f379853e5beb 17192 database optional postgresql-13_13.23-0+deb11u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEE3lnVbvHK7ir4q61+p3sXeEcY/EFAmo79TgSHGVhbWFudUBk
ZWJpYW4ub3JnAAoJEPqd7F3hHGPxHk4P/16KHzG4h8K9XMKos4bBdawWwpg8Dc+M
CGHszuJZ3J0qJdRe04JMohRD7fuOawuSQA45WoTgT1Eh6z5hgiARJNDnn6O4tZDM
b6TNko+4WzOPOWwHjTLB/N6FSuDr3kHiZzKSlVXQTvgLs0rT7miFqrrLv4UjqiXy
bz3fPmjL8ApVt4BVaqllV33+ngtGA4ia3OPQ0ZtD9Xv9muKin2QnbQVf+UAgXW/1
duepP6UskDAVZj/phmUAzJDVRCYtx1v0eccKn1k4IIond14a/ico1HisTCXqoB93
rxUIzGG9HNek9lRGtvOG09LE1/bs5tpTlQSE/RHKKGm6L1HunD3CD3IM/NKkrWI+
xtrSudq2R415ABP8kxm0YTrMaGYusd268pOQFAtnM9eb1e24fVFlLQuwpWYB+0g9
8CuXhRU4t0KTCCJ+o5tTes9hGGGSZcfAi2ZmIGPO1RqSs/zoz2rTzAR06Qq7GHBi
ILb9yj2UY8Gd94eeCVadMeh9SG9ZAegSd3LMX7+A388t5dNDmS/8B5wgs4fjkXs1
LoCWA6q3IODxKyhWevZ4hu4EwCSDoI+yfa+Wa3C8LiNggVlaX9I7TL2izzEc9+FE
92tiTLV6TUD8jdzh0jfOx2vdCNitq/9sB2O6yUzQL87TkCvIXU8U7YNXo/E+mFZP
pNSA6x14mZqw
=e4Yv
-----END PGP SIGNATURE-----
News for package postgresql-13
