Bug#1131327: marked as done (CVE-2026-4427: Negative field length panics in DataRow.Decode)

Sun, 22 Mar 2026 00:35:20 -0700 

Your message dated Sun, 22 Mar 2026 07:33:57 +0000
with message-id <[email protected]>
and subject line Bug#1131327: fixed in golang-github-jackc-pgproto3 2.3.3-2
has caused the Debian Bug report #1131327,
regarding CVE-2026-4427: Negative field length panics in DataRow.Decode
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1131327: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131327
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: golang-github-jackc-pgproto3
Version: 2.2.0-1
X-Debbugs-CC: [email protected]
Tags: security upstream

This is a bug to track the security vulnerability described here:

https://github.com/jackc/pgx/issues/2507
https://security-tracker.debian.org/tracker/CVE-2026-4427

Upstream project is EOL so likely there won't be a new release, but we
could apply the trivial patch ourselves.  This package (and the
vulnerability) is in the call path of jackc/pgx v4 which is widely
deployed.  IMHO the severity of the vulnerability is inflated, but still
this would be nice to fix.

/Simon

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: golang-github-jackc-pgproto3
Source-Version: 2.3.3-2
Done: Simon Josefsson <[email protected]>

We believe that the bug you reported is fixed in the latest version of
golang-github-jackc-pgproto3, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Josefsson <[email protected]> (supplier of updated 
golang-github-jackc-pgproto3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 22 Mar 2026 08:01:42 +0100
Source: golang-github-jackc-pgproto3
Architecture: source
Version: 2.3.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Simon Josefsson <[email protected]>
Closes: 1131327
Changes:
 golang-github-jackc-pgproto3 (2.3.3-2) unstable; urgency=medium
 .
   * Team upload
   * Fix CVE-2026-4427 (Closes: #1131327)
Checksums-Sha1:
 54670e218322226479c558b224c85bf5575c3df9 2648 
golang-github-jackc-pgproto3_2.3.3-2.dsc
 b3cb69d10c52759b2142f2aad5975144de835ee7 3276 
golang-github-jackc-pgproto3_2.3.3-2.debian.tar.xz
 dd164988fcea459f1a068d3be34d3a4722ceec8a 111972 
golang-github-jackc-pgproto3_2.3.3-2.git.tar.xz
 ad81222bec212772002a677a5996189a1f589e99 17415 
golang-github-jackc-pgproto3_2.3.3-2_source.buildinfo
Checksums-Sha256:
 9920906925aa1d65ab1be0cd1e7953557c21bd68a527a0133d1e114022f7d2b1 2648 
golang-github-jackc-pgproto3_2.3.3-2.dsc
 7957b4daf936c31f1b342421aff804ecc24744c5c6d06ac1d64e37f0c05d8bf0 3276 
golang-github-jackc-pgproto3_2.3.3-2.debian.tar.xz
 90d6c9870dc34ba8b7e113c70302a43f774d279a55d5aaefeec13363961b9853 111972 
golang-github-jackc-pgproto3_2.3.3-2.git.tar.xz
 22f37a000c100bbdfb6ad6a9b78d57dcc0490a300f5ff96cb9863175a27a5f5b 17415 
golang-github-jackc-pgproto3_2.3.3-2_source.buildinfo
Files:
 9a3e37b4b1edb20ea46661a129597172 2648 golang optional 
golang-github-jackc-pgproto3_2.3.3-2.dsc
 0d81ba4110bf8456d397909770805c11 3276 golang optional 
golang-github-jackc-pgproto3_2.3.3-2.debian.tar.xz
 1fc8e369c683f122b6e5b3aa0572650c 111972 golang None 
golang-github-jackc-pgproto3_2.3.3-2.git.tar.xz
 34b7ad21128e055ae1db1d3500028b11 17415 golang optional 
golang-github-jackc-pgproto3_2.3.3-2_source.buildinfo
Git-Tag-Info: tag=8bdf45edb98d29a6d0cbd13d4165098b74a2ad9a 
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <[email protected]>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmm/mEIACgkQYG0ITkaD
wHlh3Q/+Nf3LViaO+mTMMDgKKZMtGsDZcpl+5IOkmIJ+1L+HPT+F2PxR8+pTvbJD
QhQl9A2IV5tgXMkC1WK3kyeATfVKfLI8tc6sgHAgw/Nx+yFoCFsWuB+BNnvGgrTg
WutbWUsC17YQOBlN2yV47wQeFfgJjwhm1eadZth8dspA8MWwg0mjfNuutx4V9tZA
0aFp7PNYFuYG6Liu/hNHTysiy7cpcXHLcSqFyTriYDnRbqtsHuR9jqdkLtZ4THZA
3XO+wj1HZ/a/7WcDQTRprtL4xu7Z6T/6LcUvZfPH3Tfbt2YpJ0rjG/wrwiXEY5xi
DNfHlda60Ox24Yeumd3sC/MpQTEP2M0svVJX/dY701T3rTichAg8Polu9MMKa61K
BV4XGBzwe/f+XoMMR19zrUTKrdse5thukV2qWuzI/eEhBrtdmbtixwh7VeDLR9EF
mhx0BrrQl2qxWZGB1124b3V2P1iYHa6GDNrPAedcDfKSp3ZD1jYTTOQFrUCGEIel
PJtVnxo73CvzYNANj9tq0JxaV/k+x0pszNIRVeUMmkePGduLE6Y2UHsDSMO9xNT7
dbHwd2GAN0ZD9q4HLFHoe7JNEOM4m+vJeEhMbsE4ZEhR4xIkRJ6akEwsFLgS3Lzc
hf3o6Mu1v0vWisfcQ4x4ozhAOl/KjEA8DpVGQC2odN+uYFJPuWk=
=I9L9
-----END PGP SIGNATURE-----

Attachment: pgpSKypiD9X7v.pgp
Description: PGP signature


--- End Message ---

Reply via email to