[security - high] postgresql:15 security update, postgresql-15.18-1.module+el8+1991+27afe6d7
エラータID: AXSA:2026-811:01
PostgreSQL is an advanced object-relational database management system (DBMS).
Security Fix(es):
* postgresql: PostgreSQL: Credential recovery via covert timing channel in MD5 password comparison (CVE-2026-6478)
* postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write (CVE-2026-6473)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-6473
Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6475
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6477
Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVE-2026-6478
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Modularity name: "postgresql"
Stream name: "15"
Update packages.
Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
N/A
SRPMS
- pgaudit-1.7.0-1.module+el8+1991+27afe6d7.src.rpm
MD5: 31dd94e9defb2c0299d0369543c8c34c
SHA-256: c4423744ec3d8d2b3332657482395e9f2b7d3d226612639a4598d772759e1d7f
Size: 52.57 kB - pg_repack-1.4.8-1.module+el8+1991+27afe6d7.ML.1.src.rpm
MD5: 5c16b9214ad7d1c32e5307f5bd07a3ab
SHA-256: c5a759e828af9ad3b32acd943a72d16121d7d4b6aad5e5bb9914ddc3fb47b558
Size: 102.82 kB - postgres-decoderbufs-1.9.7-1.Final.module+el8+1991+27afe6d7.src.rpm
MD5: 82ca1f6d0596b287b81d7a41b944b49c
SHA-256: f7052ed812132ff2d792c7b960b34b24c636f42c8919f1db4ee2f69b9f39b28c
Size: 23.30 kB - postgresql-15.18-1.module+el8+1991+27afe6d7.src.rpm
MD5: 6f0ff4cf20e58424d05c091bfb4bfc1a
SHA-256: a6da81878b0bc8b458e39daf19787a484c0d2e115529f576e53888f1dae2ce0d
Size: 43.68 MB
Asianux Server 8 for x86_64
- pgaudit-1.7.0-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: 9eb219b8676cfa8f3d4bf96602aa8806
SHA-256: 6f57f7ccfa157b4d27ba7138a822cd61bf5433788a764453935cd713509c2546
Size: 28.33 kB - pgaudit-debugsource-1.7.0-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: a79429d2bab059728693c0e4acff2026
SHA-256: b20820c67b46f9df065203e4f6a532821af8524aa432f283fff444040e55bc23
Size: 24.12 kB - pg_repack-1.4.8-1.module+el8+1991+27afe6d7.ML.1.x86_64.rpm
MD5: f0200cdffa1cb88138703f4efb013fff
SHA-256: c6e34726115c25f9fc6ffa7dcab63f25bb5a34ffd612511c41e79d7b0a3fb592
Size: 95.10 kB - pg_repack-debugsource-1.4.8-1.module+el8+1991+27afe6d7.ML.1.x86_64.rpm
MD5: 445bdc3900bd26717d6c8cc3e5a645e3
SHA-256: 235244e2eb7cc67865c15061f07d505fa9da6a71d9ff1a1e0291d503c0e0b3e9
Size: 50.73 kB - postgres-decoderbufs-1.9.7-1.Final.module+el8+1991+27afe6d7.x86_64.rpm
MD5: 5b6a4dc3de93c0a01728a99a912b5bca
SHA-256: b99bf4da06787f68a4e601cc32d8b422e35393520da34ed72d331d52799764f4
Size: 23.82 kB - postgres-decoderbufs-debugsource-1.9.7-1.Final.module+el8+1991+27afe6d7.x86_64.rpm
MD5: e3e5ef77915e279f131b146a4a2cbc97
SHA-256: 77de41f5c1ca81bffec49ba49a83a2529cdaf4f54af81f33e20eb3e1d212f6fc
Size: 18.27 kB - postgresql-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: 8dad23a897853275560cb1ecb829dcc7
SHA-256: e4c75debc5a7b491b36a62556f4770aab29a1c4149650c3af9135159140a91c6
Size: 1.74 MB - postgresql-contrib-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: 7a5752f347ae46fc93c411719e195e58
SHA-256: fae8cc0295c49c818d9d79a193587bedbeabf3497c5de68015a7ea4c7d124fa6
Size: 972.97 kB - postgresql-debugsource-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: c6fe83358beccbb9ce922c694615152f
SHA-256: 61c2469502a5d0a9526d5361ffb47e1e582c83f7b73a4b85034bf60f7fc1a7b9
Size: 18.99 MB - postgresql-docs-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: 5ccab85ccce826b742896878b14fe1f5
SHA-256: dddf3f0b9c35cec0a55ac8c9ec77eeed21cdd2481e68a67d44f8ecd86dafb816
Size: 3.06 MB - postgresql-plperl-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: 9fa1111f3fe0d61d4cc1dac3a6de23e9
SHA-256: 78065089ac8def278fdfdce695492551859397c32c181cc2dd620e1b74020c4c
Size: 73.37 kB - postgresql-plpython3-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: 6bb45c45b4bda994f209fd5248882fa5
SHA-256: f4eba3d8c23bb61bc5680256027cb2be0d7d126ec4a99071fd2620192fcd5b7e
Size: 93.01 kB - postgresql-pltcl-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: aa7d6858550e7b6696834991f54ac6d8
SHA-256: a08ac00dcf0792b33a49834676ac1e9897f8e6936d23bd72d2c03aeb0f24e301
Size: 45.87 kB - postgresql-private-devel-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: 3264e60184ed9c422a3882c862e5cbfb
SHA-256: 98e9f5fe446e2a58bbfd73f0c0a8aedc953ca55094f324990cbfbe072d6a1aba
Size: 65.42 kB - postgresql-private-libs-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: 4979df3f977e9761432bb3df5f22f81f
SHA-256: 2738fd6cdf6996a37d55c2e3b013b026832f43a8ffd243d3d1c95439becc549e
Size: 133.37 kB - postgresql-server-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: db0abdcc46715f6331882b3029200a68
SHA-256: 49f215197e6ea2c86c229b1818def1f15eb1998bdb30731ecf3c55be4be5d4c8
Size: 6.17 MB - postgresql-server-devel-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: d55e526c0e9650d075f3a541b2945335
SHA-256: 1461000e42d14e58dd3bde9bcee37357cfdc2959b2830370ed73106a396f24f8
Size: 1.38 MB - postgresql-static-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: b40c6758f8a0b671f7a5e890b2496bc2
SHA-256: 4811b132f6d17da21eb77fee13559474443bec6157f9aba069e91b3201633ec4
Size: 155.41 kB - postgresql-test-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: 19fb8b0ff188bce626aee990b51c907d
SHA-256: 464423bdf8b89a6978411f512025a34acec1146a7d953e5f28a13cfa5aeab9a7
Size: 2.19 MB - postgresql-test-rpm-macros-15.18-1.module+el8+1991+27afe6d7.noarch.rpm
MD5: 185ffcfbd0daf3f184f70a7f8a73f156
SHA-256: 5add0e5b2e53ae9af71ce04655cd524bf871ff5cbded384d06916eaa06878f9b
Size: 10.53 kB - postgresql-upgrade-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: 87acca24b27fe547a725eb876b853037
SHA-256: 51ef033e19db45a458104c128eb48bc8ace8efbe4dfec9b66403babd985b9223
Size: 4.51 MB - postgresql-upgrade-devel-15.18-1.module+el8+1991+27afe6d7.x86_64.rpm
MD5: d46e399c36b12d95a01ed1fef7693691
SHA-256: 98f8f36a6b7d1d95e219e27e5e950456a2c0f7b2780a0f3ec95b3836fa3e7ff7
Size: 1.18 MB