|
|
Log in / Subscribe / Register

Ubuntu alert USN-8072-1 (postgresql-14, postgresql-16, postgresql-17)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8072-1] PostgreSQL vulnerabilities


Date:
              Wed, 04 Mar 2026 15:24:02 +0000


Message-ID:
              <E1vxo4w-0000gV-BX@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8072-1
March 04, 2026

postgresql-14, postgresql-16, postgresql-17 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in PostgreSQL.

Software Description:
- postgresql-17: Object-relational SQL database
- postgresql-16: Object-relational SQL database
- postgresql-14: Object-relational SQL database

Details:

Altan Birler discovered that PostgreSQL incorrectly validated oidvector
types. An attacker could possibly use this issue to obtain a few bytes of
sensitive information. (CVE-2026-2003)

Daniel Firer discovered that PostgreSQL incorrectly validated input in the
intarray extension. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2026-2004)

It was dicovered that PosgreSQL incorrectly handled certain pgcrypto memory
operations. An attacker could possibly use this issue to execute arbitrary
code. (CVE-2026-2005)

Paul Gerste and Moritz Sanft discovered that PostgreSQL incorrectly
validated multibyte character lengths. An attacker could possibly use this
issue to execute arbitrary code. (CVE-2026-2006)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
  postgresql-17                   17.9-0ubuntu0.25.10.1
  postgresql-client-17            17.9-0ubuntu0.25.10.1

Ubuntu 24.04 LTS
  postgresql-16                   16.13-0ubuntu0.24.04.1
  postgresql-client-16            16.13-0ubuntu0.24.04.1

Ubuntu 22.04 LTS
  postgresql-14                   14.22-0ubuntu0.22.04.1
  postgresql-client-14            14.22-0ubuntu0.22.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8072-1
  CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006

Package Information:
  https://launchpad.net/ubuntu/+source/postgresql-17/17.9-0...
  https://launchpad.net/ubuntu/+source/postgresql-16/16.13-...
  https://launchpad.net/ubuntu/+source/postgresql-14/14.22-...




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmmoTikACgkQcpJm3tlz
hgGjZhAAhv6N1jBNJ8rVayH6xFoXkdpY39BmROPwGrd9j1kpmLf55iCz6a0Y9XF/
1Ns2TngI6qWnTs1VUzcSEf/eZ7EeHl86wYuvtEC9alEKYuahnu4lK5tZLHwKzkIc
Ub5+Pu99TRu1/NHzVRrspJXYw9bjHPlxCVAt27b2K2yYgdL52lGFiwN3vhCDrJEq
KlqdzEPGlc6JUvbh4YwAVJmIpXzstTM8zexwcJkiZ4TZvYWcc76Faa7T6qhb1bRb
EWlpMPkTnJv5CTk3gtNgOUHOaHR054GsyJLf744S9yDoz1zqRF7KVsvE/Kk6BBzD
EcdZIbbwGNNGVpIc89mLVjWZJ8AM/D9nUgASikyrRuQ/BEkv3O1xs6UZyuFdi3DW
5b0QnklrHfiu2XnmsyF/9Qgky8Mr2FI88eiWWXIaaElfa+2VB/lRA/1hl7tzxuye
sBXyB0IpPCHCaL7jZYAKpxMe4XcmScNPdkAxDxAQ4Hrl/+xaQnl8LSddpsdOiZwA
4x2yaI/2VAmNyrFdeWbJGxyIzsYo5f2kX8VRGijQG0QHPxImg4K9HOBTD9DKU7AA
bdi3VUBXGKas0ZzH3Onv8ICrnocXPldfEuScX9RMjWPNFVQNHuLG8F9Ht0wOmxbu
A5P4qoRoYWvVgYGp5aqoCFuCA8rMMleDBM1/ScZnOP3l9sYjFGo=
=WGtU
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds