Register | Log in

postgresql-13

Choose email to subscribe with

general

source: postgresql-13 (main)
version: 13.23-0+deb11u3
maintainer: Debian PostgreSQL Maintainers (DMD)
uploaders: Martin Pitt [DMD] – Peter Eisentraut [DMD] – Christoph Berg [DMD]
arch: all any
std-ver: 4.5.0
VCS: Git (Browse)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 13.16-0+deb11u1
o-o-sec: 13.23-0+deb11u3
o-o-p-u: 13.16-0+deb11u1

versioned links

13.16-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
13.23-0+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libecpg-compat3
libecpg-dev
libecpg6
libpgtypes3
libpq-dev (2 bugs: 0, 2, 0, 0)
libpq5
postgresql-13
postgresql-client-13
postgresql-doc-13
postgresql-plperl-13
postgresql-plpython3-13
postgresql-pltcl-13
postgresql-server-dev-13

package is gone

This package is not in any development repository. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it.

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in 0:07:49
Last run: 2021-11-24T00:38:17.000Z
Previous status: unknown

testing: pass (log)
The tests ran in 0:08:43
Last run: 2021-11-21T12:26:51.000Z
Previous status: unknown

stable: fail (log)
The tests ran in 0:04:20
Last run: 2023-06-08T08:30:12.000Z
Previous status: unknown

Created: 2023-05-15 Last update: 2026-05-15 15:47

8 security issues in bullseye high

There are 8 open security issues in bullseye.

8 important issues:

CVE-2026-6472: Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6473: Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6474: Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6475: Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6477: Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6478: Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6479: Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6637: Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Created: 2026-05-14 Last update: 2026-05-15 06:00

news

[2026-04-17] Accepted postgresql-13 13.23-0+deb11u3 (source) into oldoldstable-security (Jochen Sprickerhof)
[2026-04-08] Accepted postgresql-13 13.23-0+deb11u2 (source) into oldoldstable-security (Jochen Sprickerhof)
[2025-12-25] Accepted postgresql-13 13.23-0+deb11u1 (source) into oldoldstable-security (Christoph Berg)
[2025-08-14] Accepted postgresql-13 13.22-0+deb11u1 (source) into oldoldstable-security (Christoph Berg)
[2025-05-08] Accepted postgresql-13 13.21-0+deb11u1 (source) into oldstable-security (Christoph Berg)
[2025-02-20] Accepted postgresql-13 13.20-0+deb11u1 (source) into oldstable-security (Christoph Berg)
[2025-02-13] Accepted postgresql-13 13.19-0+deb11u1 (source) into oldstable-security (Christoph Berg)
[2024-11-21] Accepted postgresql-13 13.18-0+deb11u1 (source) into oldstable-security (Christoph Berg)
[2024-11-14] Accepted postgresql-13 13.17-0+deb11u1 (source) into oldstable-security (Christoph Berg)
[2024-08-10] Accepted postgresql-13 13.16-0+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Christoph Berg)
[2024-08-09] Accepted postgresql-13 13.16-0+deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Christoph Berg)
[2024-05-20] Accepted postgresql-13 13.15-0+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Christoph Berg)
[2024-02-15] Accepted postgresql-13 13.14-0+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Christoph Berg)
[2024-02-14] Accepted postgresql-13 13.14-0+deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Christoph Berg)
[2023-11-18] Accepted postgresql-13 13.13-0+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Christoph Berg)
[2023-11-13] Accepted postgresql-13 13.13-0+deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Christoph Berg)
[2023-10-12] Accepted postgresql-13 13.12-0+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Christoph Berg)
[2023-05-14] Accepted postgresql-13 13.11-0+deb11u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Christoph Berg)
[2023-05-11] Accepted postgresql-13 13.11-0+deb11u1 (source) into stable-security (Debian FTP Masters) (signed by: Christoph Berg)
[2023-02-12] Accepted postgresql-13 13.10-0+deb11u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Christoph Berg)
[2022-11-23] Accepted postgresql-13 13.9-0+deb11u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Christoph Berg)
[2022-08-14] Accepted postgresql-13 13.8-0+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Christoph Berg)
[2022-05-14] Accepted postgresql-13 13.7-0+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Christoph Berg)
[2022-05-12] Accepted postgresql-13 13.7-0+deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Christoph Berg)
[2021-12-03] postgresql-13 REMOVED from testing (Debian testing watch)
[2021-11-28] Removed 13.4-3 from unstable (Debian FTP Masters)
[2021-11-15] Accepted postgresql-13 13.5-0+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Christoph Berg)
[2021-11-11] Accepted postgresql-13 13.5-0+deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Christoph Berg)
[2021-09-02] Accepted postgresql-13 13.4-0+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Christoph Berg)
[2021-09-02] postgresql-13 13.4-3 MIGRATED to testing (Debian testing watch)

1
2

bugs [bug history graph]

all: 0

links

homepage
buildd: logs, cross
popcon
security tracker
debci

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing