This bug was fixed in the package postgresql-16 - 16.14-0ubuntu0.24.04.1
---------------
postgresql-16 (16.14-0ubuntu0.24.04.1) noble-security; urgency=medium
* New upstream version (LP: #2152636).
+ A dump/restore is not required for those running 16.X.
+ However, if you are upgrading from a version earlier than 16.10, see
those release notes as well please.
+ Prevent unbounded recursion while processing startup packets
A malicious client could crash the connected backend by alternating
rejected SSL and GSS encryption requests indefinitely.
The PostgreSQL Project thanks Calif.io (in collaboration with Claude and
Anthropic Research) for reporting this problem. (CVE-2026-6479)
+ Fix assorted integer overflows in memory-allocation calculations
Various places were incautious about the possibility of integer overflow
in calculations of how much memory to allocate. Overflow would lead to
allocating a too-small buffer which the caller would then write past the
end of. This would at least trigger server crashes, and probably could
be exploited for arbitrary code execution. In many but by no means all
cases, the hazard exists only in 32-bit builds. (CVE-2026-6473)
+ Properly quote object names in logical replication origin checks
ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and
relation names into SQL commands without quoting them, allowing
execution of arbitrary SQL on the publisher. (CVE-2026-6638)
+ Reject over-length options in ts_headline()
The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb
in length, but this was not checked for. An over-length value would
typically crash the server. (CVE-2026-6473)
+ Guard against malicious time zone names in timeofday() and
pg_strftime()
A crafted time zone setting could pass % sequences to snprintf(),
potentially causing crashes or disclosure of server memory. Another path
to similar results was to overflow the limited-size output buffer used
by pg_strftime(). (CVE-2026-6474)
+ When creating a multirange type, ensure the user has CREATE privilege on
the schema specified for the multirange type
The multirange type can be put into a different schema than its parent
range type, but we neglected to apply the required privilege check when
doing so. (CVE-2026-6472)
+ Use timing-safe string comparisons in authentication code
+ Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking
passwords, hashes, etc. It is not known whether the data dependency of
those functions is usefully exploitable in any of these places, but in
the interests of safety, replace them. (CVE-2026-6478)
+ Mark PQfn() as unsafe, and avoid using it within libpq
For a non-integral result type, PQfn() is not passed the size of the
output buffer, so it cannot check that the data returned by the server
will fit. A malicious server could therefore overwrite client memory.
This is unfixable without an API change, so mark the function as
deprecated. Internally to libpq, use a variant version that can apply
the missing check. (CVE-2026-6477)
+ Prevent path traversal in pg_basebackup and pg_rewind
These applications failed to validate output file paths read from their
input, so that a malicious source could overwrite any file writable by
these applications. Constrain where data can be written by rejecting
paths that are absolute or contain parent-directory references.
(CVE-2026-6475)
+ Guard against field overflow within contrib/intarray's query_int type
and contrib/ltree's ltxtquery type
Parsing of these query structures did not check for overflow of 16-bit
fields, so that construction of an invalid query tree was possible. This
can crash the server when executing the query. (CVE-2026-6473)
+ Guard against overly long values of contrib/ltree's lquery type
Values with more than 64K items caused internal overflows, potentially
resulting in stack smashes or wrong answers. (CVE-2026-6473)
+ Prevent SQL injection and buffer overruns in contrib/spi
check_foreign_key() was insufficiently careful about quoting key values,
and also used fixed-length buffers for constructing queries. While this
module is only meant as example code, it still shouldn't contain such
dangerous errors. (CVE-2026-6637)
+ Details about these and many further changes can be found at:
https://www.postgresql.org/docs/16/release-16-14.html.
* d/postgresql-16.NEWS: update NEWS file.
-- Athos Ribeiro <[email protected]> Fri, 15 May 2026 09:22:56 -0300
** Changed in: postgresql-17 (Ubuntu Questing)
Status: New => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2026-6476
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2152636
Title:
New PostgreSQL upstream microreleases 14.23, 16.14, 17.10, and 18.4
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postgresql-17/+bug/2152636/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
