postgresql-18 (18.4-1) unstable; urgency=medium

  [ Christoph Berg ]
  * New upstream version 18.4.

    + Prevent unbounded recursion while processing startup packets
      (Michael Paquier)

      A malicious client could crash the connected backend by alternating
      rejected SSL and GSS encryption requests indefinitely.

      The PostgreSQL Project thanks Calif.io (in collaboration with Claude and
      Anthropic Research) for reporting this problem. (CVE-2026-6479)

    + Fix assorted integer overflows in memory-allocation calculations
      (Tom Lane, Nathan Bossart, Heikki Linnakangas)

      Various places were incautious about the possibility of integer overflow
      in calculations of how much memory to allocate.  Overflow would lead to
      allocating a too-small buffer which the caller would then write past the
      end of.  This would at least trigger server crashes, and probably could
      be exploited for arbitrary code execution.  In many but by no means all
      cases, the hazard exists only in 32-bit builds.

      The PostgreSQL Project thanks Xint Code, Bruce Dang, Sven Klemm, and
      Pavel Kohout for reporting these problems. (CVE-2026-6473)

    + Properly quote subscription names in pg_createsubscriber
      (Nathan Bossart)

      The given subscription name was inserted into SQL commands without
      quoting, so that SQL injection could be achieved in the (perhaps
      unlikely) case that the subscription name comes from an untrusted
      source.

      The PostgreSQL Project thanks Yu Kunpeng for reporting this problem.
      (CVE-2026-6476)

    + Properly quote object names in logical replication origin checks
      (Pavel Kohout)

      ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and
      relation names into SQL commands without quoting them, allowing
      execution of arbitrary SQL on the publisher.

      The PostgreSQL Project thanks Pavel Kohout for reporting this problem.
      (CVE-2026-6638)

    + Reject over-length options in ts_headline() (Michael Paquier)

      The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb
      in length, but this was not checked for.  An over-length value would
      typically crash the server.

      The PostgreSQL Project thanks Xint Code for reporting this problem.
      (CVE-2026-6473)

    + Detect faulty input when restoring attribute MCV statistics
      (Michael Paquier)

      The statistics restore functions were insufficiently careful about
      validating most-common-value statistics, and would accept values that
      could crash the planner later on.

      The PostgreSQL Project thanks Jeroen Gui for reporting this problem.
      (CVE-2026-6575)

    + Guard against malicious time zone names in timeofday() and pg_strftime()
      (Tom Lane)

      A crafted time zone setting could pass % sequences to snprintf(),
      potentially causing crashes or disclosure of server memory.  Another
      path to similar results was to overflow the limited-size output buffer
      used by pg_strftime().

      The PostgreSQL Project thanks Xint Code for reporting this problem.
      (CVE-2026-6474)

    + When creating a multirange type, ensure the user has CREATE privilege on
      the schema specified for the multirange type (Jelte Fennema-Nio)

      The multirange type can be put into a different schema than its parent
      range type, but we neglected to apply the required privilege check when
      doing so.

      The PostgreSQL Project thanks Jelte Fennema-Nio for reporting this
      problem. (CVE-2026-6472)

    + Use timing-safe string comparisons in authentication code
      (Michael Paquier)

      Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking
      passwords, hashes, etc.  It is not known whether the data dependency of
      those functions is usefully exploitable in any of these places, but in
      the interests of safety, replace them.

      The PostgreSQL Project thanks Joe Conway for reporting this problem.
      (CVE-2026-6478)

    + Mark PQfn() as unsafe, and avoid using it within libpq (Nathan Bossart)

      For a non-integral result type, PQfn() is not passed the size of the
      output buffer, so it cannot check that the data returned by the server
      will fit.  A malicious server could therefore overwrite client memory.
      This is unfixable without an API change, so mark the function as
      deprecated.  Internally to libpq, use a variant version that can apply
      the missing check.

      The PostgreSQL Project thanks Yu Kunpeng and Martin Heistermann for
      reporting this problem. (CVE-2026-6477)

    + Prevent path traversal in pg_basebackup and pg_rewind (Michael Paquier)

      These applications failed to validate output file paths read from their
      input, so that a malicious source could overwrite any file writable by
      these applications.  Constrain where data can be written by rejecting
      paths that are absolute or contain parent-directory references.

      The PostgreSQL Project thanks XlabAI Team of Tencent Xuanwu Lab and
      Valery Gubanov for reporting this problem. (CVE-2026-6475)

    + Guard against field overflow within contrib/intarray's query_int type
      and contrib/ltree's ltxtquery type (Tom Lane)

      Parsing of these query structures did not check for overflow of 16-bit
      fields, so that construction of an invalid query tree was possible.
      This can crash the server when executing the query.

      The PostgreSQL Project thanks Xint Code for reporting this problem.
      (CVE-2026-6473)

    + Guard against overly long values of contrib/ltree's lquery type
      (Michael Paquier)

      Values with more than 64K items caused internal overflows, potentially
      resulting in stack smashes or wrong answers.

      The PostgreSQL Project thanks Vergissmeinnicht, A1ex, and Jihe Wang for
      reporting this problem. (CVE-2026-6473)

    + Prevent SQL injection and buffer overruns in contrib/spi
      (Nathan Bossart)

      check_foreign_key() was insufficiently careful about quoting key values,
      and also used fixed-length buffers for constructing queries.  While this
      module is only meant as example code, it still shouldn't contain such
      dangerous errors.

      The PostgreSQL Project thanks Nikolay Samokhvalov for reporting this
      problem. (CVE-2026-6637)

  * Add zh_TW, zh_CN debconf translations. Thanks Yangfl! (Closes: #1124468)

  [ Michael Banck ]
  * Add patch that fixes TAP tests on hurd.

 -- Christoph Berg <myon@debian.org>  Mon, 11 May 2026 22:49:32 +0200

postgresql-18 (18.3-1) unstable; urgency=medium

  * New upstream version 18.3.

    + Fix failure after replaying a multixid truncation record from WAL that
      was generated by an older minor version (Heikki Linnakangas)

      Erroneous logic for coping with the way that previous versions handled
      multixid wraparound led to replay failure, with messages like "could not
      access status of transaction". A typical scenario in which this could
      occur is a standby server of the latest minor version consuming WAL from
      a primary server of an older version.

    + Avoid incorrect complaint of invalid encoding when substring() is
      applied to toasted data (Noah Misch)

      The fix for CVE-2026-2006 was too aggressive and could raise an error
      about an incomplete character in cases that are actually valid.

    + Fix oversight in the fix for CVE-2026-2007 (Zsolt Parragi)

      If the bounds array needed to be expanded, because the input contained
      more trigrams than the initial guess, generate_trgm_only didn't return
      the modified array pointer to its caller.  That would lead to incorrect
      output from strict_word_similarity() and related functions, or in rare
      cases a crash.  The faulty code is reached if the input string becomes
      longer when it's converted to lower case. The only known instances of
      that occur when an ICU locale is used with certain single-byte
      encodings.

    + Fix the volatility marking of json_strip_nulls() and jsonb_strip_nulls()
      (Andrew Dunstan)

      These functions have always been considered immutable, but refactoring
      in version 18 accidentally marked them stable instead. That prevents
      their use in index expressions and could cause unnecessary repeat
      evaluations in queries.  This fix corrects the marking in
      newly-initialized database clusters (including clusters that are
      pg_upgrade'd to 18.3 or later). However it will not help existing
      clusters made using 18.0 through 18.2.

      If this mistake affects your usage of these functions, the recommended
      fix for an existing cluster is a manual catalog update. As superuser,
      perform

      UPDATE pg_catalog.pg_proc SET provolatile = 'i' WHERE oid IN ('3261','3262');

      in each affected database.  Update template0 and template1 as well, so
      that databases made in future will have the fix.

 -- Christoph Berg <myon@debian.org>  Tue, 24 Feb 2026 12:48:56 +0100

postgresql-18 (18.2-1) unstable; urgency=medium

  * New upstream version 18.2.

    + Guard against unexpected dimensions of oidvector/int2vector (Tom Lane)

      These data types are expected to be 1-dimensional arrays containing no
      nulls, but there are cast pathways that permit violating those
      expectations.  Add checks to some functions that were depending on those
      expectations without verifying them, and could misbehave in consequence.

      The PostgreSQL Project thanks Altan Birler for reporting this problem.
      (CVE-2026-2003)

    + Harden selectivity estimators against being attached to operators that
      accept unexpected data types (Tom Lane)

      contrib/intarray contained a selectivity estimation function that could
      be abused for arbitrary code execution, because it did not check that
      its input was of the expected data type.  Third-party extensions should
      check for similar hazards and add defenses using the technique intarray
      now uses. Since such extension fixes will take time, we now require
      superuser privilege to attach a non-built-in selectivity estimator to an
      operator.

      The PostgreSQL Project thanks Daniel Firer, as part of zeroday.cloud,
      for reporting this problem. (CVE-2026-2004)

    + Fix buffer overrun in contrib/pgcrypto's PGP decryption functions
      (Michael Paquier)

      Decrypting a crafted message with an overlength session key caused a
      buffer overrun, with consequences as bad as arbitrary code execution.

      The PostgreSQL Project thanks Team Xint Code, as part of zeroday.cloud,
      for reporting this problem. (CVE-2026-2005)

    + Fix inadequate validation of multibyte character lengths
      (Thomas Munro, Noah Misch)

      Assorted bugs allowed an attacker able to issue crafted SQL to overrun
      string buffers, with consequences as bad as arbitrary code execution.
      After these fixes, applications may observe invalid byte sequence for
      encoding errors when string functions process invalid text that has been
      stored in the database.

      The PostgreSQL Project thanks Paul Gerste and Moritz Sanft, as part of
      zeroday.cloud, for reporting this problem. (CVE-2026-2006)

    + Harden contrib/pg_trgm against changes in string lowercasing behavior
      (Heikki Linnakangas)

      Fix potential buffer overruns arising from the fact that in some locales
      lower-casing a string can produce more characters (not bytes) than were
      in the original.  That behavior is new in version 18, and so is the bug.

      The PostgreSQL Project thanks Heikki Linnakangas for reporting this
      problem. (CVE-2026-2007)

  * Remove pg_numa_init and LLVM 21 patches, merged upstream.

 -- Christoph Berg <myon@debian.org>  Tue, 10 Feb 2026 11:26:19 +0100

postgresql-18 (18.1-2) unstable; urgency=medium

  * Fix build with LLVM 21.

 -- Christoph Berg <myon@debian.org>  Thu, 11 Dec 2025 17:37:16 +0100

postgresql-18 (18.1-1) unstable; urgency=medium

  * New upstream version 18.1.

    + Check for CREATE privileges on the schema in CREATE STATISTICS
      (Jelte Fennema-Nio)

      This omission allowed table owners to create statistics in any schema,
      potentially leading to unexpected naming conflicts.

      The PostgreSQL Project thanks Jelte Fennema-Nio for reporting this
      problem. (CVE-2025-12817)

    + Avoid integer overflow in allocation-size calculations within libpq
      (Jacob Champion)

      Several places in libpq were not sufficiently careful about computing
      the required size of a memory allocation.  Sufficiently large inputs
      could cause integer overflow, resulting in an undersized buffer, which
      would then lead to writing past the end of the buffer.

      The PostgreSQL Project thanks Aleksey Solovev of Positive Technologies
      for reporting this problem. (CVE-2025-12818)

  * Handle EPERM in pg_numa_init.
  * Test-Depend on postgresql-common-dev.

 -- Christoph Berg <myon@debian.org>  Tue, 11 Nov 2025 13:05:55 +0100

postgresql-18 (18.0-1) unstable; urgency=medium

  * PostgreSQL 18.0.
  * B-D on openssl.

 -- Christoph Berg <myon@debian.org>  Tue, 23 Sep 2025 21:46:05 +0200

postgresql-18 (18~rc1-3) unstable; urgency=medium

  * libpq.pc: Drop libcurl from Requires.private.

 -- Christoph Berg <myon@debian.org>  Tue, 23 Sep 2025 17:12:07 +0200

postgresql-18 (18~rc1-2) unstable; urgency=medium

  * Upload to unstable in preparation of 18.0 release.
  * B-D on postgresql-common-dev instead of -common.
  * Drop move-pages32 patch, upstream had a different fix already.

 -- Christoph Berg <myon@debian.org>  Mon, 22 Sep 2025 12:37:17 +0200

postgresql-18 (18~rc1-1) experimental; urgency=medium

  * New upstream version 18rc1.
  * libpq-oauth.lintian-overrides: Package is a plugin.

 -- Christoph Berg <myon@debian.org>  Wed, 13 Aug 2025 23:37:10 +0200

postgresql-18 (18~beta3-1) experimental; urgency=medium

  * New upstream version 18beta3.
  * Drop obsolete patches: focal-arm64-outline-atomics, jit-s390x.

 -- Christoph Berg <myon@debian.org>  Tue, 12 Aug 2025 12:08:31 +0200

postgresql-18 (18~beta2-1) experimental; urgency=medium

  * New upstream version 18beta2.
  * Drop hurd-iovec patch, implemented upstream.
  * debian/libpq5.symbols: Remove PQservice (introduced earlier in 18).

 -- Christoph Berg <myon@debian.org>  Fri, 18 Jul 2025 12:48:48 +0200

postgresql-18 (18~beta1+20250701-1) experimental; urgency=medium

  * New upstream snapshot.

 -- Christoph Berg <myon@debian.org>  Tue, 01 Jul 2025 11:36:41 +0200

postgresql-18 (18~beta1+20250624-1) experimental; urgency=medium

  * New upstream snapshot.
  * Restrict libpq-oauth and B-D: libnuma-dev to [linux-any].
  * Work around a Linux 32-bit bug in move_pages on 64-bit kernels.
  * Add Turkish debconf translation by Atila KOÇ, thanks! (Closes: #1107984)
  * Add Catalan debconf translation by Carles Pina i Estany, thanks!

 -- Christoph Berg <myon@debian.org>  Mon, 23 Jun 2025 14:37:14 +0200

postgresql-18 (18~beta1+20250612-1) experimental; urgency=medium

  * New upstream snapshot.
  * Add B-D on libnuma-dev.

 -- Christoph Berg <myon@debian.org>  Fri, 06 Jun 2025 14:29:17 +0200

postgresql-18 (18~beta1-1) experimental; urgency=medium

  * First beta version.

 -- Christoph Berg <myon@debian.org>  Tue, 06 May 2025 20:28:58 +0200

postgresql-18 (18~~devel.20250502-1) experimental; urgency=medium

  * Split libpq-oauth into a separate package so libpq5 does not have to
    depend on libcurl.

 -- Christoph Berg <myon@debian.org>  Fri, 02 May 2025 10:39:45 +0200

postgresql-18 (18~~devel.20250421-1) experimental; urgency=medium

  * New upstream snapshot.

 -- Christoph Berg <myon@debian.org>  Mon, 21 Apr 2025 21:07:47 +0200

postgresql-18 (18~~devel.20250405-1) experimental; urgency=medium

  * New upstream snapshot.
  * B-D on liburing-dev.

 -- Christoph Berg <myon@debian.org>  Wed, 02 Apr 2025 15:15:38 +0200

postgresql-18 (18~~devel.20250331-1) experimental; urgency=medium

  * New upstream snapshot.
  * Drop extension_destdir patch, implemented upstream as
    extension_control_path.
  * Disable JIT on loong64 and riscv64 again, still segfaulting.

 -- Christoph Berg <myon@debian.org>  Wed, 19 Mar 2025 15:47:26 +0100

postgresql-18 (18~~devel.20250318+g4078da6c478-1) experimental; urgency=medium

  * New major upstream version 18; packaging based on postgresql-17.
  * Move JIT to new postgresql-18-jit package. (Closes: #927182)
  * Enable JIT only on 64-bit architectures.

 -- Christoph Berg <myon@debian.org>  Tue, 18 Mar 2025 16:43:43 +0100
