head	1.5;
access;
symbols
	pkgsrc-2026Q1:1.4.0.2
	pkgsrc-2026Q1-base:1.4
	pkgsrc-2025Q4:1.2.0.2
	pkgsrc-2025Q4-base:1.2;
locks; strict;
comment	@# @;


1.5
date	2026.05.15.08.34.12;	author adam;	state Exp;
branches;
next	1.4;
commitid	LIa9vpbdxWRj4TFG;

1.4
date	2026.02.26.17.18.54;	author adam;	state Exp;
branches
	1.4.2.1;
next	1.3;
commitid	UQWaj4CctL2MtUvG;

1.3
date	2026.02.13.10.52.25;	author adam;	state Exp;
branches;
next	1.2;
commitid	w0TCHUvGOLf6LcuG;

1.2
date	2025.11.15.06.39.26;	author adam;	state Exp;
branches;
next	1.1;
commitid	6bSr0VVy6VhDfCiG;

1.1
date	2025.10.06.13.30.22;	author adam;	state Exp;
branches;
next	;
commitid	LuTSXVGAcgrvOvdG;

1.4.2.1
date	2026.05.18.09.47.03;	author bsiegert;	state Exp;
branches;
next	;
commitid	87DLspfIwyixnhGG;


desc
@@


1.5
log
@postgresql1*: updated to 18.4, 17.10, 16.14, 15.18, 14.23

PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23

This release fixes 11 security vulnerabilities and over 60 bugs reported over the last several months.

Security Issues

CVE-2026-6472: PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege

CVSS v3.1 Base Score: 5.4

Supported, Vulnerable Versions: 14 - 18.

Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

CVE-2026-6473: PostgreSQL server undersizes allocations, via integer wraparound

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Integer wraparound in multiple PostgreSQL server features allows an application input provider to cause the server to undersize an allocation and write out-of-bounds. This results in a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Anemone, A1ex, Xint Code, Jihe Wang, Jingzhou Fu, Pavel Kohout, Petr Simecek, www.aisle.com, Bruce Dang of Calif.io, and Sven Klemm for reporting this problem.

CVE-2026-6474: PostgreSQL timeofday() can disclose portions of server memory

CVSS v3.1 Base Score: 4.3

Supported, Vulnerable Versions: 14 - 18.

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Xint Code for reporting this problem.

CVE-2026-6475: PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem.

CVE-2026-6476: PostgreSQL pg_createsubscriber allows SQL injection via subscription name

CVSS v3.1 Base Score: 7.2

Supported, Vulnerable Versions: 17 - 18.

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

The PostgreSQL project thanks Yu Kunpeng for reporting this problem.

CVE-2026-6477: PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem.

CVE-2026-6478: PostgreSQL discloses MD5-hashed passwords via covert timing channel

CVSS v3.1 Base Score: 6.5

Supported, Vulnerable Versions: 14 - 18.

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Joe Conway for reporting this problem.

CVE-2026-6479: PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion

CVSS v3.1 Base Score: 7.5

Supported, Vulnerable Versions: 14 - 18.

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Calif.io in collaboration with Claude and Anthropic Research for reporting this problem.

CVE-2026-6575: PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array

CVSS v3.1 Base Score: 4.3

Supported, Vulnerable Versions: 18.

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

The PostgreSQL project thanks Jeroen Gui for reporting this problem.

CVE-2026-6637: PostgreSQL refint allows stack buffer overflow and SQL injection

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Stack buffer overflow in PostgreSQL module refint allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a refint cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem.

CVE-2026-6638: PostgreSQL REFRESH PUBLICATION allows SQL injection via table name

CVSS v3.1 Base Score: 3.7

Supported, Vulnerable Versions: 16 - 18.

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

The PostgreSQL project thanks Pavel Kohout, Aisle Research for reporting this problem.

Bug Fixes and Improvements

This update fixes over 60 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

Fix queries that could return incorrect results when using a nondeterministic collation over a unique index.
Fix loss of deferrability of foreign-key triggers. Previously, a foreign key defined as DEFERRABLE INITIALLY DEFERRED would behave as NOT DEFERRABLE after being set to NOT ENFORCED status and then back to ENFORCED. If you have a foreign key with this problem, after installing this update you can fix it by setting it to NOT ENFORCED and then back to ENFORCED.
Improve the planner's ability to apply partition pruning to more cases.
Fix self-join removal to handle join clauses that are only boolean columns, for example, ON t1.boolcol.
Several fixes around virtual generated columns, including ensuring INSERT ... ON CONFLICT works when EXCLUDED references a virtual generated column.
Report a serialization failure when MERGE encounters a concurrently-updated tuple in "repeatable read" or "serializable" isolation modes.
Fix CREATE TABLE ... LIKE ... INCLUDING STATISTICS for cases where the source table had one or more dropped columns.
Fix WITHOUT OVERLAPS to allow domains.
Disallow making a composite type be a member of itself via a multirange.
Fix sometimes-incorrect results when array_agg(anyarray) executes in parallel.
Prevent bloating during restore of an incremental backup.
Prevent stuck logical replication slot synchronization worker processes from blocking promotion of a standby server.
Make the pg_aios system view pid column show NULL instead of 0 when an entry has no owning process.
Fix cases where pg_stat_replication shows NULL lag even while replication is active.
Correctly display JOIN alias variables that are used in GROUP BY.
If the startup process fails, properly shut down other child processes before exiting the postmaster.
Fix race condition that could cause a standby server following WAL from a primary of an older minor version to get into a crash-and-restart loop.
Prevent indefinite wait in shutdown of a walsender process when logical replication is actively publishing data.
Ensure that free space map changes are persisted during recovery. This could have performance ramifications on a standby server after promotion.
Fix assorted bugs in backup decompression and tar-parsing code used in pg_basebackup and pg_verifybackup.
Ensure pg_dumpall doesn't skip role grants with dangling grantor OIDs, restoring the behavior before PostgreSQL 16. Emits a warning about missing grantor if the source server is PostgreSQL 16 or later.
Fix pg_upgrade to use the correct protocol version when connecting to older source servers.
Fix output in pg_overexplain when using the RANGE_TABLE option.
Fix postgres_fdw crash due to premature cleanup of a failed connection.
@
text
@$NetBSD: distinfo,v 1.4 2026/02/26 17:18:54 adam Exp $

BLAKE2s (postgresql-18.4.tar.bz2) = f6730205148db7a93b012e0066061d334913835a9564c137a79d82f4c108ee6b
SHA512 (postgresql-18.4.tar.bz2) = 1a7606b5b2460a4fc817d491e1e03262df17ece6869fa3d2b80647baffcfb790fbcfa019c3b10fab9f9a14218651b6a358864e40a5d8c5ddc796db2d6e5b469c
Size (postgresql-18.4.tar.bz2) = 22567173 bytes
SHA1 (patch-config_missing) = c2d7d742922ba6861e7660c75b7b53f09e564813
SHA1 (patch-config_perl.m4) = 9c4bf707b6aded63b2e0cff375465693cad1dea9
SHA1 (patch-configure) = beebdd7d46e37065c86d7edbfb982bac1fbc9147
SHA1 (patch-contrib_dblink_dblink.c) = a6f87ab9f2c28a72608d70267b71bd77437b0921
SHA1 (patch-src_Makefile.global.in) = 489e57dc2c14c8be8c6bccf4bb7088c862beea05
SHA1 (patch-src_Makefile.shlib) = b304f544716dc4b85393e94236c49dc18853722b
SHA1 (patch-src_backend_Makefile) = 514a0bb7a0d570df4e28b582e58baf7fd1224e40
SHA1 (patch-src_interfaces_libpq_Makefile) = 711b3a94711602daffb8b7d9c6b5c9f9e4367a7a
SHA1 (patch-src_makefiles_Makefile.solaris) = 2dd1a3e6b279331b0835d3af3af02f4fe1cfa216
SHA1 (patch-src_pl_plperl_GNUmakefile) = 5ca28fdf0a2426e3c9ab26ef9c5dfe626a96ef46
@


1.4
log
@postgresql1[4-8]: updated to 18.3, 17.9, 16.13, 15.17, 14.22

PostgreSQL 18.3, 17.9, 16.13, 15.17, and 14.22

Bug Fixes and Improvements

This update fixes several bugs that were reported since the previous release. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

Fix issue where a standby would halt and return an error "could not access status of transaction".
Fix error where the substring() function would raise an error "invalid byte sequence for encoding" on non-ASCII text values if the source of that value is a database column. This was due to a change introduced for the fix to CVE-2026-2006.
Fix for the strict_word_similarity function in pg_trgm that could lead to incorrect output or crashes. This was due to an oversight in the fix for CVE-2026-2007.
Fix function volatility for json_strip_nulls() and jsonb_strip_nulls() to be immutable, like previous releases, allowing for them to be used in indexes. If you previously upgraded to PostgreSQL 18.0 through 18.2, see the additional steps in the "Updating" section.
Fix for NOT NULL tests in LATERAL UNION ALL subquery that could lead to wrong query output.
Avoid NOT NULL constraints from generating name conflicts with user-written constraints.
Fix pg_stat_get_backend_wait_event() and pg_stat_get_backend_wait_event_type() to report values for auxiliary processes, similar to pg_stat_activity.
Fix casting a composite-type variable to a domain type when returning its value from a PL/pgSQL function.
Fix the hstore binary input function to avoid crashes on input with duplicate keys.
@
text
@d1 1
a1 1
$NetBSD: distinfo,v 1.3 2026/02/13 10:52:25 adam Exp $
d3 3
a5 3
BLAKE2s (postgresql-18.3.tar.bz2) = 2415f17637740ad6ccf6385f919b83e403eba86466cdcd07b27b5ee4f10ea215
SHA512 (postgresql-18.3.tar.bz2) = fdbe6d726f46738cf14acab96e5c05f7d65aefe78563281b416bb14a27c7c42e4df921e26b32816a5030ddbe506b95767e2c74a35afc589916504df38d1cb11c
Size (postgresql-18.3.tar.bz2) = 22497924 bytes
@


1.4.2.1
log
@Pullup ticket #7117 - requested by taca
databases/postgresql{14,15,16,17,18}: security fix

Revisions pulled up:
- databases/postgresql14-docs/PLIST                             1.24
- databases/postgresql14/Makefile.common                        1.30
- databases/postgresql14/distinfo                               1.26
- databases/postgresql15-docs/PLIST                             1.19
- databases/postgresql15/Makefile.common                        1.24
- databases/postgresql15/distinfo                               1.19
- databases/postgresql16-docs/PLIST                             1.15
- databases/postgresql16/Makefile.common                        1.22
- databases/postgresql16/distinfo                               1.16
- databases/postgresql17-docs/PLIST                             1.11
- databases/postgresql17/Makefile.common                        1.18
- databases/postgresql17/distinfo                               1.11
- databases/postgresql18-docs/PLIST                             1.5
- databases/postgresql18/Makefile.common                        1.6
- databases/postgresql18/distinfo                               1.5

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Fri May 15 08:34:13 UTC 2026

   Modified Files:
   	pkgsrc/databases/postgresql14: Makefile.common distinfo
   	pkgsrc/databases/postgresql14-docs: PLIST
   	pkgsrc/databases/postgresql15: Makefile.common distinfo
   	pkgsrc/databases/postgresql15-docs: PLIST
   	pkgsrc/databases/postgresql16: Makefile.common distinfo
   	pkgsrc/databases/postgresql16-docs: PLIST
   	pkgsrc/databases/postgresql17: Makefile.common distinfo
   	pkgsrc/databases/postgresql17-docs: PLIST
   	pkgsrc/databases/postgresql18: Makefile.common distinfo
   	pkgsrc/databases/postgresql18-docs: PLIST

   Log Message:
   postgresql1*: updated to 18.4, 17.10, 16.14, 15.18, 14.23

   PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23

   This release fixes 11 security vulnerabilities and over 60 bugs reported over the last several months.

   Security Issues

   CVE-2026-6472: PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege

   CVSS v3.1 Base Score: 5.4

   Supported, Vulnerable Versions: 14 - 18.

   Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

   The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

   CVE-2026-6473: PostgreSQL server undersizes allocations, via integer wraparound

   CVSS v3.1 Base Score: 8.8

   Supported, Vulnerable Versions: 14 - 18.

   Integer wraparound in multiple PostgreSQL server features allows an application input provider to cause the server to undersize an allocation and write out-of-bounds. This results in a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

   The PostgreSQL project thanks Anemone, A1ex, Xint Code, Jihe Wang, Jingzhou Fu, Pavel Kohout, Petr Simecek, www.aisle.com, Bruce Dang of Calif.io, and Sven Klemm for reporting this problem.

   CVE-2026-6474: PostgreSQL timeofday() can disclose portions of server memory

   CVSS v3.1 Base Score: 4.3

   Supported, Vulnerable Versions: 14 - 18.

   Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

   The PostgreSQL project thanks Xint Code for reporting this problem.

   CVE-2026-6475: PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice

   CVSS v3.1 Base Score: 8.8

   Supported, Vulnerable Versions: 14 - 18.

   Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

   The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem.

   CVE-2026-6476: PostgreSQL pg_createsubscriber allows SQL injection via subscription name

   CVSS v3.1 Base Score: 7.2

   Supported, Vulnerable Versions: 17 - 18.

   SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

   The PostgreSQL project thanks Yu Kunpeng for reporting this problem.

   CVE-2026-6477: PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory

   CVSS v3.1 Base Score: 8.8

   Supported, Vulnerable Versions: 14 - 18.

   Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

   The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem.

   CVE-2026-6478: PostgreSQL discloses MD5-hashed passwords via covert timing channel

   CVSS v3.1 Base Score: 6.5

   Supported, Vulnerable Versions: 14 - 18.

   Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

   The PostgreSQL project thanks Joe Conway for reporting this problem.

   CVE-2026-6479: PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion

   CVSS v3.1 Base Score: 7.5

   Supported, Vulnerable Versions: 14 - 18.

   Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

   The PostgreSQL project thanks Calif.io in collaboration with Claude and Anthropic Research for reporting this problem.

   CVE-2026-6575: PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array

   CVSS v3.1 Base Score: 4.3

   Supported, Vulnerable Versions: 18.

   Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

   The PostgreSQL project thanks Jeroen Gui for reporting this problem.

   CVE-2026-6637: PostgreSQL refint allows stack buffer overflow and SQL injection

   CVSS v3.1 Base Score: 8.8

   Supported, Vulnerable Versions: 14 - 18.

   Stack buffer overflow in PostgreSQL module refint allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a refint cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

   The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem.

   CVE-2026-6638: PostgreSQL REFRESH PUBLICATION allows SQL injection via table name

   CVSS v3.1 Base Score: 3.7

   Supported, Vulnerable Versions: 16 - 18.

   SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

   The PostgreSQL project thanks Pavel Kohout, Aisle Research for reporting this problem.

   Bug Fixes and Improvements

   This update fixes over 60 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

   Fix queries that could return incorrect results when using a nondeterministic collation over a unique index.
   Fix loss of deferrability of foreign-key triggers. Previously, a foreign key defined as DEFERRABLE INITIALLY DEFERRED would behave as NOT DEFERRABLE after being set to NOT ENFORCED status and then back to ENFORCED. If you have a foreign key with this problem, after installing this update you can fix it by setting it to NOT ENFORCED and then back to ENFORCED.
   Improve the planner's ability to apply partition pruning to more cases.
   Fix self-join removal to handle join clauses that are only boolean columns, for example, ON t1.boolcol.
   Several fixes around virtual generated columns, including ensuring INSERT ... ON CONFLICT works when EXCLUDED references a virtual generated column.
   Report a serialization failure when MERGE encounters a concurrently-updated tuple in "repeatable read" or "serializable" isolation modes.
   Fix CREATE TABLE ... LIKE ... INCLUDING STATISTICS for cases where the source table had one or more dropped columns.
   Fix WITHOUT OVERLAPS to allow domains.
   Disallow making a composite type be a member of itself via a multirange.
   Fix sometimes-incorrect results when array_agg(anyarray) executes in parallel.
   Prevent bloating during restore of an incremental backup.
   Prevent stuck logical replication slot synchronization worker processes from blocking promotion of a standby server.
   Make the pg_aios system view pid column show NULL instead of 0 when an entry has no owning process.
   Fix cases where pg_stat_replication shows NULL lag even while replication is active.
   Correctly display JOIN alias variables that are used in GROUP BY.
   If the startup process fails, properly shut down other child processes before exiting the postmaster.
   Fix race condition that could cause a standby server following WAL from a primary of an older minor version to get into a crash-and-restart loop.
   Prevent indefinite wait in shutdown of a walsender process when logical replication is actively publishing data.
   Ensure that free space map changes are persisted during recovery. This could have performance ramifications on a standby server after promotion.
   Fix assorted bugs in backup decompression and tar-parsing code used in pg_basebackup and pg_verifybackup.
   Ensure pg_dumpall doesn't skip role grants with dangling grantor OIDs, restoring the behavior before PostgreSQL 16. Emits a warning about missing grantor if the source server is PostgreSQL 16 or later.
   Fix pg_upgrade to use the correct protocol version when connecting to older source servers.
   Fix output in pg_overexplain when using the RANGE_TABLE option.
   Fix postgres_fdw crash due to premature cleanup of a failed connection.
@
text
@d1 1
a1 1
$NetBSD$
d3 3
a5 3
BLAKE2s (postgresql-18.4.tar.bz2) = f6730205148db7a93b012e0066061d334913835a9564c137a79d82f4c108ee6b
SHA512 (postgresql-18.4.tar.bz2) = 1a7606b5b2460a4fc817d491e1e03262df17ece6869fa3d2b80647baffcfb790fbcfa019c3b10fab9f9a14218651b6a358864e40a5d8c5ddc796db2d6e5b469c
Size (postgresql-18.4.tar.bz2) = 22567173 bytes
@


1.3
log
@postgresql1[4-8]*: updated to 18.2, 17.8, 16.12, 15.16, and 14.21

PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21

Security Issues

CVE-2026-2003: PostgreSQL oidvector discloses a few bytes of memory

CVSS v3.1 Base Score: 4.3

Supported, Vulnerable Versions: 14 - 18.

Improper validation of type oidvector in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Altan Birler for reporting this problem.

CVE-2026-2004: PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Daniel Firer, as part of zeroday.cloud, for reporting this problem.

CVE-2026-2005: PostgreSQL pgcrypto heap buffer overflow executes arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Team Xint Code, as part of zeroday.cloud, for reporting this problem.

CVE-2026-2006: PostgreSQL missing validation of multibyte character length executes arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Paul Gerste and Moritz Sanft, as part of zeroday.cloud, for reporting this problem.

CVE-2026-2007: PostgreSQL pg_trgm heap buffer overflow writes pattern onto server memory

CVSS v3.1 Base Score: 8.2

Supported, Vulnerable Versions: 18.

Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected.

The PostgreSQL project thanks Heikki Linnakangas for reporting this problem.

Bug Fixes and Improvements

This update fixes over 65 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

Fix inconsistent case-insensitive text matching in the ltree extension. If you use an index on an ltree column, in some cases you may need perform a reindex. See the "Updating" section for additional instructions.
Executing ALTER TABLE ... ADD CONSTRAINT to add a NOT NULL constraint on a column that already is marked as NOT NULL now requires the constraint name to match the existing constraint name.
Fix trigger behavior when MERGE is executed from a WITH query to include rows affected by the MERGE.
Several query planner fixes.
Fix for text substring search for non-deterministic collations.
Several fixes for NOTIFY error handling and reporting.
Use the correct ordering function in GIN index parallel builds.
Fix incorrect handling of incremental backups with tables larger than 1GB.
Fail recovery if WAL does not exist back to the redo point indicated by the checkpoint record.
Fix for ALTER PUBLICATION to ensure event triggers contain all set options.
Several fixes around replication slot initialization.
Don't advance replication slot after a logical replication parallel worker apply failure to prevent transaction loss on the subscriber.
Fix error reporting for SQL/JSON path type mismatches.
Fix JIT compilation function inlining when using LLVM 17 or later.
Add new server parameter file_extend_method to control use of posix_fallocate().
Fix psql tab completion for the VACUUM command options.
Fix pg_dump to handle concurrent sequence drops gracefully and to fail if the calling user explicitly lacks privileges to read the sequence.
Several fixes for amcheck around btree inspection.
Avoid crash in pg_stat_statements when an IN list contains both constants and non-constant expressions.
This release also updates time zone data files to tzdata release 2025c, which only has a historical data change for pre-1976 timestamps in Baja California.
@
text
@d1 1
a1 1
$NetBSD: distinfo,v 1.2 2025/11/15 06:39:26 adam Exp $
d3 3
a5 3
BLAKE2s (postgresql-18.2.tar.bz2) = 59c7699db888d15aa2621f830a33b5f7840ca8e9f67fba79e0cd6d6566642fdd
SHA512 (postgresql-18.2.tar.bz2) = 76430e05fc4a38fbe9a43d27fcd1ba85939de7690ad320e3820dba1403417da83b89aa4b27219b6a1b91fe2d4e20c85b0337732f7b8978a9850c930dbadff67f
Size (postgresql-18.2.tar.bz2) = 22492584 bytes
@


1.2
log
@postgresql: updated to 18.1, 17.7, 16.11, 15.15, 14.20, 13.23

PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23

Security Issues
- CVE-2025-12817: PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege
- CVE-2025-12818: PostgreSQL libpq undersizes allocations, via integer wraparound

Bug Fixes and Improvements

This update fixes over 50 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

Avoid returning duplicate rows from hash right semi-joins.
Avoid possible out-of-memory failures during parallel GIN index build.
Several fixes for BRIN indexes.
Fixes for crashes related to partitioned tables, including one occurring during a recheck.
Avoid duplicating hash partition constraints during DETACH CONCURRENTLY, which previously caused issues during dump/restore or if a parent table is dropped after the DETACH.
Disallow generated columns in partition keys and in COPY ... FROM ... WHERE clauses.
Fix incorrect reporting of replication lag in pg_stat_replication view.
Avoid failures when synchronized_standby_slots references nonexistent replication slots.
Avoid unwanted WAL receiver shutdown when switching from streaming to archive WAL source.
Avoid unnecessary invalidation of logical replication slots.
Correctly handle GROUP BY DISTINCT in PL/pgSQL assignment statements.
Avoid leaking memory when handling a SQL error within PL/Python.
Fix how libpq handles socket-related errors on Windows within its GSSAPI logic.
Fix dumping of non-inherited NOT NULL constraints on inherited table columns.
Ensure consistent ordering of foreign key constraints in the output of pg_dump.
Several fixes for pgbench error handling and reporting.
Fix memory leak in pg_combinebackup.
Allow nonsuperusers with SELECT privileges on a table to use pg_prewarm to prewarm indexes on that table.
@
text
@d1 1
a1 1
$NetBSD: distinfo,v 1.1 2025/10/06 13:30:22 adam Exp $
d3 3
a5 3
BLAKE2s (postgresql-18.1.tar.bz2) = 563e4a0c3505fed0e2c11b9767ece8395f937743b75044e22fc4aadf94eebba4
SHA512 (postgresql-18.1.tar.bz2) = bac8a9bfb12c0c70b5870d92c6f322edbfd559e9ac939e841f16d8271b5c2bc4fb2628e053b407aed71b4032e9f4cba55f1e0a8dc6a3bd4933c2b701fe69ec08
Size (postgresql-18.1.tar.bz2) = 22423920 bytes
@


1.1
log
@postgresql18: added version 18.0

PostgreSQL 18 improves performance for workloads of all sizes through a new I/O
subsystem that has demonstrated up to 3× performance improvements when reading
from storage, and also increases the number of queries that can use indexes.
This release makes major-version upgrades less disruptive, accelerating upgrade
times and reducing the time required to reach expected performance after an
upgrade completes. Developers also benefit from PostgreSQL 18 features,
including virtual generated columns that compute values at query time, and the
database-friendly uuidv7() function that provides better indexing and read
performance for UUIDs. PostgreSQL 18 makes it easier to integrate with
single-sign on (SSO) systems with support for OAuth 2.0 authentication.
@
text
@d1 1
a1 1
$NetBSD: distinfo,v 1.7 2025/08/15 08:37:42 adam Exp $
d3 3
a5 3
BLAKE2s (postgresql-18.0.tar.bz2) = 770a3b7bc4f12deb2a07d1596e0437ea5304422f6454905e06b2b2408200ee97
SHA512 (postgresql-18.0.tar.bz2) = d3a2b460465259c461b1e53555f48881986d3103af6f7c654366ada04ab43b61ce22eb3cb078c70afdac22ddfa5bd9ce2928e3edb110f7f029c958340a980f37
Size (postgresql-18.0.tar.bz2) = 22412570 bytes
@