SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-786

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-786

Security update for postgresql14

Type: security

Severity: important

Issued: 2026-03-03

Description:

This update for postgresql14 fixes the following issues:

Update to version 14.22 (bsc#1258754).

Security issues fixed:

- CVE-2026-2003: improper validation of type "oidvector" may allow disclose a few bytes of server memory (bsc#1258008).
- CVE-2026-2004: intarray missing validation of type of input to selectivity estimator could lead to arbitrary code
  execution (bsc#1258009).
- CVE-2026-2005: buffer overrun in contrib/pgcrypto's PGP decryption functions could lead to arbitrary code execution
  (bsc#1258010).
- CVE-2026-2006: inadequate validation of multibyte character lengths could lead to arbitrary code execution
  (bsc#1258011).
    
Regression fixes:

  - the substring() function raises an error "invalid byte sequence for encoding" on non-ASCII text values if the
    source of that value is a database column (caused by CVE-2026-2006 fix).
  - a standby may halt and return an error "could not access status of transaction".

References

Packages

postgresql14-14.22-150600.16.28.1