postgresql:12 security update
エラータID: AXSA:2026-1167:01
PostgreSQL is an advanced object-relational database management system (DBMS).
Security Fix(es):
* postgresql: PostgreSQL: Credential recovery via covert timing channel in MD5 password comparison (CVE-2026-6478)
* postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write (CVE-2026-6473)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-6473
Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6478
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Modularity name: "postgresql"
Stream name: "12"
Update packages.
Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
N/A
SRPMS
- pgaudit-1.4.0-7.module+el8+1996+06d58afe.ML.1.src.rpm
MD5: 5ada91d525b8f1ffaafc933c437c8d63
SHA-256: 2ef2cb4dbf6b869ffc1790b3a8387170d02076c7d823f243dd9a7a529329dbd1
Size: 42.40 kB - pg_repack-1.4.6-3.module+el8+1996+06d58afe.src.rpm
MD5: e23f31d9bc3568d54d3c1a471f4feec0
SHA-256: 71976bdbaaa8020def79eb39413371526732ce61a03ee9e54180dbf8c5687d02
Size: 100.99 kB - postgres-decoderbufs-0.10.0-2.module+el8+1996+06d58afe.src.rpm
MD5: d0c2f1c89a7f62de1168c208e42a0ab8
SHA-256: ff1be3aca7997abf10137df4143e3f74511af87223b79381cfdfdde873905804
Size: 21.13 kB - postgresql-12.22-7.module+el8+1996+06d58afe.src.rpm
MD5: 4be580c38ad8a514ffb721a595fd853c
SHA-256: 544added8a058d888b44d510b321d1c478f74d96f59dcb2520fb05d443826399
Size: 46.81 MB
Asianux Server 8 for x86_64
- pgaudit-1.4.0-7.module+el8+1996+06d58afe.ML.1.x86_64.rpm
MD5: 358461fdcfe5f088f20c8af177f6321b
SHA-256: 2748e08e85ce4edbe93dbcee2a1ae6fe77b462a40dd7bc2e1e175bef3faf76c1
Size: 27.10 kB - pgaudit-debugsource-1.4.0-7.module+el8+1996+06d58afe.ML.1.x86_64.rpm
MD5: edd23034431517cf56de212a4a038f3b
SHA-256: c7fbb9262935a2eb7d838b3bd60e1991e96f3a78cf160d575e3814ca6bfc0d1b
Size: 23.04 kB - pg_repack-1.4.6-3.module+el8+1996+06d58afe.x86_64.rpm
MD5: eae559c42bfd225dc0bdc9d62b74476c
SHA-256: d7684a3ac66cecdd2ea3eba02a03bf272ef5e98036b03320c2ae6caf3d0b21b6
Size: 89.71 kB - pg_repack-debugsource-1.4.6-3.module+el8+1996+06d58afe.x86_64.rpm
MD5: 021ece55cf2e56d48fdbe5bd7d2ff8d9
SHA-256: f5ffcd4f7b4a0f6d95b6c4e4b4755d57b118039d0d668b13072ffa5bd524f6a3
Size: 49.69 kB - postgres-decoderbufs-0.10.0-2.module+el8+1996+06d58afe.x86_64.rpm
MD5: f0aff9d1a2a8738089339e1d6dc6318a
SHA-256: 655092333d24836d389c07c296c33c7155b38f69f499c7917f5cf85a7bb2202f
Size: 21.83 kB - postgres-decoderbufs-debugsource-0.10.0-2.module+el8+1996+06d58afe.x86_64.rpm
MD5: 9ec5e961653ea3b61a4081c4e16de311
SHA-256: dba0c08908c2d22624d106a9005f93101324d5334396e3166974b81451d2c2ae
Size: 16.81 kB - postgresql-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: 51499d97b016936e42f9a68745dc3876
SHA-256: 3020c4c13f14e76b96c55b27d68aedcd338976d87c2b8bbfaa37670fade1ce06
Size: 1.53 MB - postgresql-contrib-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: 3ca3de1fa51f516b30f421b96522e2a3
SHA-256: d8eabb6775a5def889f0372d88fdb72307a0f47524c690fd06ee601553d235c4
Size: 878.36 kB - postgresql-debugsource-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: 452915d291693f55c7c391f55aac0ea5
SHA-256: 2cb16e3f65b7adc19b7b918931d02147d264e79b84883a5f4b2f7d27fc3ebc3c
Size: 17.00 MB - postgresql-docs-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: 5f89fac9ef81b288bcd14224c6b1d367
SHA-256: e4d8767f3ce658182b6a96e07f4f50b466ae125e06a37198eed17bf5deb8a8d5
Size: 9.85 MB - postgresql-plperl-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: 02ad060ce605d2a3fe3fff20c882cf5b
SHA-256: bafc61d13093935e28102437a84277ae71cbef755c384eea9af00d6644cdf25c
Size: 110.53 kB - postgresql-plpython3-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: c09c03ff6b8ea67506b79a87e23a770b
SHA-256: ed8a11412816d133b027837c6c49479bd053b15548893aa33316d0e018d3ff27
Size: 130.53 kB - postgresql-pltcl-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: 10160da6d1515d78437793636c543fc8
SHA-256: 3ff3e0e99f23bf186ba2808f47bfbb4130e6e2736d7dff0b8142996fb8f4ec80
Size: 86.03 kB - postgresql-server-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: d05a77340d999abac500cb008bcd81de
SHA-256: 5cc47de807bffead727abd2f4c076b8fa8a3af370a8e41eb50e878d63ce1d0cb
Size: 5.56 MB - postgresql-server-devel-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: cc6159de0a839affe55ed887496d5a97
SHA-256: 9fdb081cfc3fff667deb3ad549f2a4ad3944296f76633a89c72e78db33f6b20c
Size: 1.23 MB - postgresql-static-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: def45bec82d5cf8f3a762db99f1b5dff
SHA-256: 883485136bed3110d0f3d739c0ad3390de0649b0188c7583ba0551006a1e2124
Size: 177.33 kB - postgresql-test-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: 248290737734da87b30965f83c04c704
SHA-256: 63565e179ce936810157dd58207c43d1139b758cbf2fdf55f4449a74b4521ea3
Size: 1.97 MB - postgresql-test-rpm-macros-12.22-7.module+el8+1996+06d58afe.noarch.rpm
MD5: 45b76cc6d2f492c7152f96b0e1bf6839
SHA-256: 744eb0bf6bfe06b7dcfe9f2c96b894de400bc1cf05ce99741a44c2565912d66c
Size: 53.71 kB - postgresql-upgrade-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: 3370f355169f37a68f506c1831d77f3c
SHA-256: 935b9e406180ed5314afedc8a495172e0d4d5b6f202bbd8c2cc293a28544e52a
Size: 4.07 MB - postgresql-upgrade-devel-12.22-7.module+el8+1996+06d58afe.x86_64.rpm
MD5: 89467af2d7030fc129fb4f85f7818f72
SHA-256: 2dceb739b3b4619759f239ec79f3bc806c43c2eaa43ffe90b03ec8c840c754c9
Size: 1.13 MB