SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-881

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-881

Security update for postgresql18

Type: security

Severity: important

Issued: 2026-03-12

Description:

This update for postgresql18 fixes the following issues:

Update to version 18.3 (bsc#1258754).

Security issues fixed:

- CVE-2026-2003: improper validation of type "oidvector" may allow disclose a few bytes of server memory (bsc#1258008).
- CVE-2026-2004: intarray missing validation of type of input to selectivity estimator could lead to arbitrary code
  execution (bsc#1258009).
- CVE-2026-2005: buffer overrun in contrib/pgcrypto's PGP decryption functions could lead to arbitrary code execution
  (bsc#1258010).
- CVE-2026-2006: inadequate validation of multibyte character lengths could lead to arbitrary code execution
  (bsc#1258011).
- CVE-2026-2007: pg_trgm heap buffer overflow can cause to write pattern onto server memory (bsc#1258012).
    
Regression fixes:

  - the substring() function raises an error "invalid byte sequence for encoding" on non-ASCII text values if the
    source of that value is a database column (caused by CVE-2026-2006 fix).
  - a standby may halt and return an error "could not access status of transaction".

References

Packages

postgresql18-18.3-150600.13.8.1