From: Tom Lane Date: Mon, 9 Feb 2026 19:01:20 +0000 (-0500) Subject: Last-minute updates for release notes. X-Git-Tag: REL_18_2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30d2603f5c340133ca03e098fcaa9c242843d5e1;p=thirdparty%2Fpostgresql.git Last-minute updates for release notes. Security: CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006, CVE-2026-2007 --- diff --git a/doc/src/sgml/release-18.sgml b/doc/src/sgml/release-18.sgml index 388f81f6edc..923001f0a55 100644 --- a/doc/src/sgml/release-18.sgml +++ b/doc/src/sgml/release-18.sgml @@ -24,7 +24,7 @@ However, if you have any indexes on ltree columns, it may - be necessary to reindex them after updating. See the first changelog + be necessary to reindex them after updating. See the sixth changelog entry below. @@ -36,6 +36,212 @@ + + Guard against unexpected dimensions + of oidvector/int2vector (Tom Lane) + § + + + + These data types are expected to be 1-dimensional arrays containing + no nulls, but there are cast pathways that permit violating those + expectations. Add checks to some functions that were depending on + those expectations without verifying them, and could misbehave in + consequence. + + + + The PostgreSQL Project thanks + Altan Birler for reporting this problem. + (CVE-2026-2003) + + + + + + + Harden selectivity estimators against being attached to operators + that accept unexpected data types (Tom Lane) + § + § + + + + contrib/intarray contained a selectivity + estimation function that could be abused for arbitrary code + execution, because it did not check that its input was of the + expected data type. Third-party extensions should check for similar + hazards and add defenses using the technique intarray now uses. + Since such extension fixes will take time, we now require superuser + privilege to attach a non-built-in selectivity estimator to an + operator. + + + + The PostgreSQL Project thanks + Daniel Firer, as part of zeroday.cloud, for reporting this problem. + (CVE-2026-2004) + + + + + + + Fix buffer overrun in contrib/pgcrypto's + PGP decryption functions (Michael Paquier) + § + + + + Decrypting a crafted message with an overlength session key caused a + buffer overrun, with consequences as bad as arbitrary code + execution. + + + + The PostgreSQL Project thanks + Team Xint Code, as part of zeroday.cloud, for reporting this problem. + (CVE-2026-2005) + + + + + + + Fix inadequate validation of multibyte character lengths + (Thomas Munro, Noah Misch) + § + § + § + § + § + § + + + + Assorted bugs allowed an attacker able to issue crafted SQL to + overrun string buffers, with consequences as bad as arbitrary code + execution. After these fixes, applications may + observe invalid byte sequence for encoding errors + when string functions process invalid text that has been stored in + the database. + + + + The PostgreSQL Project thanks Paul Gerste + and Moritz Sanft, as part of zeroday.cloud, for reporting this + problem. + (CVE-2026-2006) + + + + + + + Harden contrib/pg_trgm against changes in + string lowercasing behavior (Heikki Linnakangas) + § + § + + + + Fix potential buffer overruns arising from the fact that in some + locales lower-casing a string can produce more characters (not + bytes) than were in the original. That behavior is new in version + 18, and so is the bug. + + + + The PostgreSQL Project thanks + Heikki Linnakangas for reporting this problem. + (CVE-2026-2007) + + + + +