------------------------------------------------------------------------- Debian LTS Advisory DLA-4524-1 [email protected] https://www.debian.org/lts/security/ Jochen Sprickerhof April 08, 2026 https://wiki.debian.org/LTS -------------------------------------------------------------------------
Package : postgresql-13
Version : 13.23-0+deb11u2
CVE ID : CVE-2026-2003 CVE-2026-2004 CVE-2026-2005 CVE-2026-2006
Debian Bug :
Multiple vulnerabilities were fixed in PostgreSQL, a popular database.
CVE-2026-2003
Fix CVE-2026-2003: Improper validation of type "oidvector" in PostgreSQL
allows a database user to disclose a few bytes of server memory. We have
not ruled out viability of attacks that arrange for presence of
confidential information in disclosed bytes, but they seem unlikely.
CVE-2026-2004
Fix CVE-2026-2004: Missing validation of type of input in PostgreSQL
intarray extension selectivity estimator function allows an object creator
to execute arbitrary code as the operating system user running the
database.
CVE-2026-2005
Fix CVE-2026-2005: Heap buffer overflow in PostgreSQL pgcrypto allows a
ciphertext provider to execute arbitrary code as the operating system user
running the database.
CVE-2026-2006
Fix CVE-2026-2006: Missing validation of multibyte character length in
PostgreSQL text manipulation allows a database user to issue crafted
queries that achieve a buffer overrun. That suffices to execute arbitrary
code as the operating system user running the database.
For Debian 11 bullseye, these problems have been fixed in version
13.23-0+deb11u2.
We recommend that you upgrade your postgresql-13 packages.
For the detailed security status of postgresql-13 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-13
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
signature.asc
Description: PGP signature
