postgresql-17 - Debian Package Tracker

general

source: postgresql-17 (main)
version: 17.6-1
maintainer: Debian PostgreSQL Maintainers (DMD)
uploaders: Martin Pitt [DMD] – Peter Eisentraut [DMD] – Christoph Berg [DMD]
arch: all any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 17.5-1
testing: 17.5-1
unstable: 17.6-1

versioned links

17.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
17.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libecpg-compat3
libecpg-dev
libecpg6
libpgtypes3
libpq-dev (1 bugs: 0, 1, 0, 0)
libpq5
postgresql-17 (1 bugs: 0, 1, 0, 0)
postgresql-client-17 (2 bugs: 0, 2, 0, 0)
postgresql-doc-17
postgresql-plperl-17
postgresql-plpython3-17
postgresql-pltcl-17
postgresql-server-dev-17

action needed

3 security issues in forky high

There are 3 open security issues in forky.

3 important issues:

CVE-2025-8713: PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
CVE-2025-8714: Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
CVE-2025-8715: Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.

Created: 2025-08-14 Last update: 2025-08-15 04:29

debian/patches: 7 patches with invalid metadata, 4 patches to forward upstream high

Among the 11 debian patches available in version 17.6-1 of the package, we noticed the following issues:

7 patches with invalid metadata that ought to be fixed.
4 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2024-09-05 Last update: 2025-08-14 19:33

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-08-11 Last update: 2025-08-19 12:01

Depends on packages which need a new maintainer normal

The packages that postgresql-17 depends on which need a new maintainer are:

docbook-xml (#802368)
- Build-Depends: docbook-xml
docbook-xsl (#802370)
- Build-Depends: docbook-xsl

Created: 2024-09-05 Last update: 2025-08-19 12:00

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 17.6-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit bf3a91be51f097bb430b7c2c73d65f1727a182fc
Author: Christoph Berg <myon@debian.org>
Date:   Wed Aug 13 23:38:40 2025 +0200

    Bump version number
    
    We dropped the trailing 0 from the Debian release number in pgdgNN tags;
    snapshot builds need a version bump.

Created: 2025-06-18 Last update: 2025-08-15 21:00

3 low-priority security issues in trixie low

There are 3 open security issues in trixie.

3 issues left for the package maintainer to handle:

CVE-2025-8713: (needs triaging) PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
CVE-2025-8714: (needs triaging) Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
CVE-2025-8715: (needs triaging) Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-08-14 Last update: 2025-08-15 04:29

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2025-01-16 Last update: 2025-01-16 16:33

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.5.0).

Created: 2024-09-05 Last update: 2025-08-14 20:02

testing migrations

This package will soon be part of the auto-perl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-icu transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for postgresql-17 (17.5-1 to 17.6-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ autopkgtest for bacula/15.0.3-3: armel: Pass
- ∙ ∙ autopkgtest for libreoffice/4:25.2.3-2: arm64: Pass
- ∙ ∙ autopkgtest for libreoffice/4:25.8.0~rc4-2: amd64: Pass, armel: Regression or new test ♻ (reference ♻), armhf: Failed (not a regression), i386: Test in progress (will not be considered a regression), ppc64el: Test in progress (will not be considered a regression), riscv64: Pass, s390x: Pass
- ∙ ∙ autopkgtest for postgresql-17/17.6-1: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ autopkgtest for timescaledb/2.19.3+dfsg-1: amd64: Regression or new test ♻ (reference ♻), arm64: Regression or new test ♻ (reference ♻), ppc64el: Regression or new test ♻ (reference ♻), riscv64: Regression or new test ♻ (reference ♻)
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/p/postgresql-17.html
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ 5 days old (needed 5 days)
- Not considered

news

[rss feed]

[2025-08-14] Accepted postgresql-17 17.6-1 (source) into unstable (Christoph Berg)
[2025-05-20] postgresql-17 17.5-1 MIGRATED to testing (Debian testing watch)
[2025-05-08] Accepted postgresql-17 17.5-1 (source) into unstable (Christoph Berg)
[2025-04-09] postgresql-17 17.4-2 MIGRATED to testing (Debian testing watch)
[2025-04-07] Accepted postgresql-17 17.4-2 (source) into unstable (Christoph Berg)
[2025-02-26] postgresql-17 17.4-1 MIGRATED to testing (Debian testing watch)
[2025-02-20] Accepted postgresql-17 17.4-1 (source) into unstable (Christoph Berg)
[2025-02-20] postgresql-17 17.3-3 MIGRATED to testing (Debian testing watch)
[2025-02-15] Accepted postgresql-17 17.3-3 (source) into unstable (Christoph Berg)
[2025-02-14] Accepted postgresql-17 17.3-2 (source) into unstable (Christoph Berg)
[2025-02-13] Accepted postgresql-17 17.3-1 (source) into unstable (Christoph Berg)
[2024-11-23] postgresql-17 17.2-1 MIGRATED to testing (Debian testing watch)
[2024-11-21] Accepted postgresql-17 17.2-1 (source) into unstable (Christoph Berg)
[2024-11-14] Accepted postgresql-17 17.1-1 (source) into unstable (Christoph Berg)
[2024-09-28] postgresql-17 17.0-1 MIGRATED to testing (Debian testing watch)
[2024-09-26] Accepted postgresql-17 17.0-1 (source) into unstable (Christoph Berg)
[2024-09-09] postgresql-17 17~rc1-1 MIGRATED to testing (Debian testing watch)
[2024-09-05] Accepted postgresql-17 17~rc1-1 (source) into unstable (Christoph Berg)
[2024-08-08] Accepted postgresql-17 17~beta3-1 (source) into experimental (Christoph Berg)
[2024-06-25] Accepted postgresql-17 17~beta2-1 (source) into experimental (Christoph Berg)
[2024-05-23] Accepted postgresql-17 17~beta1-1 (source) into experimental (Christoph Berg)
[2024-05-11] Accepted postgresql-17 17~~devel20240509-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Christoph Berg)

bugs [bug history graph]

all: 3
RC: 0
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (100, 97)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 17.5-1build1