CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2026/05/24 18:36:13
Modified files:
databases/postgresql: Makefile distinfo
databases/postgresql/pkg: PLIST-docs
Log message:
Update to PostgreSQL 18.4
Fixes:
* CVE-2026-6472: PostgreSQL CREATE TYPE does not check multirange schema
CREATE privilege
* CVE-2026-6473: PostgreSQL server undersizes allocations, via integer
wraparound
* CVE-2026-6474: PostgreSQL timeofday() can disclose portions of server
memory
* CVE-2026-6475: PostgreSQL pg_basebackup and pg_rewind can overwrite
unrelated files of origin superuser choice
* CVE-2026-6476: PostgreSQL pg_createsubscriber allows SQL injection via
subscription name
* CVE-2026-6477: PostgreSQL libpq lo_* functions let server superuser
overwrite client stack
* CVE-2026-6478: PostgreSQL discloses MD5-hashed passwords via covert
timing channel
* CVE-2026-6479: PostgreSQL SSL/GSS init causes denial of service, via
uncontrolled recursion
* CVE-2026-6575: PostgreSQL pg_restore_attribute_stats accepts values
that cause query planning to read past end of stats array
* CVE-2026-6637: PostgreSQL refint allows stack buffer overflow and SQL
injection
* CVE-2026-6638: PostgreSQL REFRESH PUBLICATION allows SQL injection via
table name
>From Mark Patruck
