postgresql-18 - Debian Package Tracker

general

source: postgresql-18 (main)
version: 18.4-1
maintainer: Debian PostgreSQL Maintainers (DMD)
uploaders: Martin Pitt [DMD] – Peter Eisentraut [DMD] – Christoph Berg [DMD]
arch: all any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

testing: 18.3-1
unstable: 18.4-1

versioned links

18.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
18.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libecpg-compat3
libecpg-dev
libecpg6
libpgtypes3
libpq-dev (2 bugs: 0, 2, 0, 0)
libpq-oauth
libpq5
postgresql-18 (4 bugs: 0, 4, 0, 0)
postgresql-18-jit
postgresql-client-18
postgresql-doc-18
postgresql-plperl-18
postgresql-plpython3-18
postgresql-pltcl-18
postgresql-server-dev-18

action needed

11 security issues in forky high

There are 11 open security issues in forky.

11 important issues:

CVE-2026-6472: Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6473: Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6474: Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6475: Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6476: SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.
CVE-2026-6477: Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6478: Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6479: Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6575: Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.
CVE-2026-6637: Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6638: SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

Created: 2026-05-14 Last update: 2026-05-15 06:00

debian/patches: 7 patches with invalid metadata, 5 patches to forward upstream high

Among the 12 debian patches available in version 18.4-1 of the package, we noticed the following issues:

7 patches with invalid metadata that ought to be fixed.
5 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-09-23 Last update: 2026-05-14 22:01

lintian reports 5 errors and 2 warnings high

Lintian reports 5 errors and 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-02-26 Last update: 2026-05-14 19:30

Depends on packages which need a new maintainer normal

The packages that postgresql-18 depends on which need a new maintainer are:

systemtap (#1114760)
- Build-Depends: systemtap-sdt-dev
docbook-xml (#802368)
- Build-Depends: docbook-xml
docbook-xsl (#802370)
- Build-Depends: docbook-xsl

Created: 2025-09-22 Last update: 2026-05-23 20:31

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-05-19 Last update: 2026-05-23 20:31

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).

Created: 2025-12-23 Last update: 2026-05-14 18:02

testing migrations

This package will soon be part of the auto-perl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for postgresql-18 (18.3-1 to 18.4-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for cyrus-imapd/3.12.2-1: amd64: Pass, arm64: Test triggered (failure will be ignored), i386: Failed (not a regression) ♻ (reference ♻), ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for libreoffice/4:26.2.3.2-2: amd64: Pass, arm64: Test triggered (failure will be ignored), i386: Test triggered (failure will be ignored), ppc64el: Pass, riscv64: Regression ♻ (reference ♻), s390x: Pass
- ∙ ∙ Autopkgtest for londiste-sql/3.8-7: riscv64: Pass ♻
- ∙ ∙ Autopkgtest for luanti/5.15.2+dfsg-1: riscv64: Pass ♻
- ∙ ∙ Autopkgtest for pg-auto-failover/2.2-3: riscv64: Pass ♻
- ∙ ∙ Autopkgtest for pgmemcache/2.3.0-15: riscv64: Pass ♻
- ∙ ∙ Autopkgtest for postgresql-18/18.4-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for vtk9/9.5.2+dfsg4-3: riscv64: Pass ♻
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/p/postgresql-18.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 10 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-05-14] Accepted postgresql-18 18.4-1 (source) into unstable (Christoph Berg)
[2026-03-01] postgresql-18 18.3-1 MIGRATED to testing (Debian testing watch)
[2026-02-26] Accepted postgresql-18 18.3-1 (source) into unstable (Christoph Berg)
[2026-02-21] postgresql-18 18.2-1 MIGRATED to testing (Debian testing watch)
[2026-02-12] Accepted postgresql-18 18.2-1 (source) into unstable (Christoph Berg)
[2025-12-14] postgresql-18 18.1-2 MIGRATED to testing (Debian testing watch)
[2025-12-11] Accepted postgresql-18 18.1-2 (source) into unstable (Christoph Berg)
[2025-11-16] postgresql-18 18.1-1 MIGRATED to testing (Debian testing watch)
[2025-11-13] Accepted postgresql-18 18.1-1 (source) into unstable (Christoph Berg)
[2025-09-29] postgresql-18 18.0-1 MIGRATED to testing (Debian testing watch)
[2025-09-29] postgresql-18 18.0-1 MIGRATED to testing (Debian testing watch)
[2025-09-26] Accepted postgresql-18 18.0-1 (source) into unstable (Christoph Berg)
[2025-09-26] postgresql-18 18~rc1-3 MIGRATED to testing (Debian testing watch)
[2025-09-23] Accepted postgresql-18 18~rc1-3 (source) into unstable (Christoph Berg)
[2025-09-22] Accepted postgresql-18 18~rc1-2 (source) into unstable (Christoph Berg)
[2025-09-04] Accepted postgresql-18 18~rc1-1 (source) into experimental (Christoph Berg)
[2025-08-12] Accepted postgresql-18 18~beta3-1 (source) into experimental (Christoph Berg)
[2025-07-18] Accepted postgresql-18 18~beta2-1 (source) into experimental (Christoph Berg)
[2025-07-01] Accepted postgresql-18 18~beta1+20250701-1 (source) into experimental (Christoph Berg)
[2025-06-24] Accepted postgresql-18 18~beta1+20250624-1 (source) into experimental (Christoph Berg)
[2025-06-12] Accepted postgresql-18 18~beta1+20250612-1 (source) into experimental (Christoph Berg)
[2025-05-08] Accepted postgresql-18 18~beta1-1 (source) into experimental (Christoph Berg)
[2025-05-03] Accepted postgresql-18 18~~devel.20250502-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Christoph Berg)
[2025-04-21] Accepted postgresql-18 18~~devel.20250421-1 (source) into experimental (Christoph Berg)
[2025-04-05] Accepted postgresql-18 18~~devel.20250405-1 (source) into experimental (Christoph Berg)
[2025-03-31] Accepted postgresql-18 18~~devel.20250331-1 (source) into experimental (Christoph Berg)
[2025-03-29] Accepted postgresql-18 18~~devel.20250318+g4078da6c478-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Christoph Berg)

bugs [bug history graph]

all: 6
RC: 0
I&N: 6
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (5, 2)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
l10n (100, 97)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 18.3-1
3 bugs