[Buildroot] [PATCH 2025.02.x] package/postgresql: security bump to v17.10

[Buildroot] [PATCH 2025.02.x] package/postgresql: security bump to v17.10

[Thomas Perale via buildroot]

For more information about the release, see:
  - https://www.postgresql.org/docs/17/release-17-9.html
  - https://www.postgresql.org/docs/17/release-17-10.html

Fixes the following vulnerabilities:

- CVE-2026-6479:

 Prevent unbounded recursion while processing startup packets
 A malicious client could crash the connected backend by alternating
 rejected SSL and GSS encryption requests indefinitely.

- CVE-2026-6473

 Fix assorted integer overflows in memory-allocation calculations
 Various places were incautious about the possibility of integer overflow
 in calculations of how much memory to allocate. Overflow would lead to
 allocating a too-small buffer which the caller would then write past the
 end of. This would at least trigger server crashes, and probably could
 be exploited for arbitrary code execution. In many but by no means all
 cases, the hazard exists only in 32-bit builds.

- CVE-2026-6476
 Properly quote subscription names in pg_createsubscriber

 The given subscription name was inserted into SQL commands without
 quoting, so that SQL injection could be achieved in the (perhaps
 unlikely) case that the subscription name comes from an untrusted
 source.

- CVE-2026-6638

 Properly quote object names in logical replication origin checks
 ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and
 relation names into SQL commands without quoting them, allowing
 execution of arbitrary SQL on the publisher.

- CVE-2026-6473

 Reject over-length options in ts_headline()
 The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb
 in length, but this was not checked for. An over-length value would
 typically crash the server.

- CVE-2026-6474

 Guard against malicious time zone names in timeofday() and pg_strftime()
 A crafted time zone setting could pass % sequences to snprintf(),
 potentially causing crashes or disclosure of server memory. Another path
 to similar results was to overflow the limited-size output buffer used
 by pg_strftime().

- CVE-2026-6472

 When creating a multirange type, ensure the user has CREATE privilege on
 the schema specified for the multirange type.

 The multirange type can be put into a different schema than its parent
 range type, but we neglected to apply the required privilege check when
 doing so.

- CVE-2026-6478

 Use timing-safe string comparisons in authentication code.

 Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking
 passwords, hashes, etc. It is not known whether the data dependency of
 those functions is usefully exploitable in any of these places, but in
 the interests of safety, replace them.

- CVE-2026-6477

 Mark PQfn() as unsafe, and avoid using it within libpq

 For a non-integral result type, PQfn() is not passed the size of the
 output buffer, so it cannot check that the data returned by the server
 will fit. A malicious server could therefore overwrite client memory.
 This is unfixable without an API change, so mark the function as
 deprecated. Internally to libpq, use a variant version that can apply
 the missing check.

- CVE-2026-6475

 Prevent path traversal in pg_basebackup and pg_rewind

 These applications failed to validate output file paths read from their
 input, so that a malicious source could overwrite any file writable by
 these applications. Constrain where data can be written by rejecting
 paths that are absolute or contain parent-directory references.

- CVE-2026-6473

 Guard against field overflow within contrib/intarray's query_int type
 and contrib/ltree's ltxtquery type.

 Parsing of these query structures did not check for overflow of 16-bit
 fields, so that construction of an invalid query tree was possible.
 This can crash the server when executing the query.

- CVE-2026-6473

 Guard against overly long values of contrib/ltree's lquery type.

 Values with more than 64K items caused internal overflows, potentially
 resulting in stack smashes or wrong answers.

- CVE-2026-6637

 Prevent SQL injection and buffer overruns in contrib/spi.

 check_foreign_key() was insufficiently careful about quoting key
 values, and also used fixed-length buffers for constructing queries.
 While this module is only meant as example code, it still shouldn't
 contain such dangerous errors.

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/postgresql/postgresql.hash | 4 ++--
 package/postgresql/postgresql.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/postgresql/postgresql.hash b/package/postgresql/postgresql.hash
index b7a2397f8f..48bbbd2443 100644
--- a/package/postgresql/postgresql.hash
+++ b/package/postgresql/postgresql.hash
@@ -1,4 +1,4 @@
-# From https://ftp.postgresql.org/pub/source/v17.8/postgresql-17.8.tar.bz2.sha256
-sha256  a88d195dd93730452d0cfa1a11896720d6d1ba084bc2be7d7fc557fa4e4158a0  postgresql-17.8.tar.bz2
+# From https://ftp.postgresql.org/pub/source/v17.10/postgresql-17.10.tar.bz2.sha256
+sha256  078a03516dcdbdb705fecaf415ea3d13a956c589e46f09fed68a06fb00598c90  postgresql-17.10.tar.bz2
 # License file, Locally calculated
 sha256  3d6af92ff8a4c2cdf69afb1cf44edea727922f5cd0cf8b5f72b11cdecac8fdfd  COPYRIGHT
diff --git a/package/postgresql/postgresql.mk b/package/postgresql/postgresql.mk
index 9856d6423b..6f6f36702f 100644
--- a/package/postgresql/postgresql.mk
+++ b/package/postgresql/postgresql.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-POSTGRESQL_VERSION = 17.8
+POSTGRESQL_VERSION = 17.10
 POSTGRESQL_SOURCE = postgresql-$(POSTGRESQL_VERSION).tar.bz2
 POSTGRESQL_SITE = https://ftp.postgresql.org/pub/source/v$(POSTGRESQL_VERSION)
 POSTGRESQL_LICENSE = PostgreSQL
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2025.02.x] package/postgresql: security bump to v17.10

[Thomas Perale via buildroot]

In reply of:
> For more information about the release, see:
>   - https://www.postgresql.org/docs/17/release-17-9.html
>   - https://www.postgresql.org/docs/17/release-17-10.html
> 
> Fixes the following vulnerabilities:
> 
> - CVE-2026-6479:
> 
>  Prevent unbounded recursion while processing startup packets
>  A malicious client could crash the connected backend by alternating
>  rejected SSL and GSS encryption requests indefinitely.
> 
> - CVE-2026-6473
> 
>  Fix assorted integer overflows in memory-allocation calculations
>  Various places were incautious about the possibility of integer overflow
>  in calculations of how much memory to allocate. Overflow would lead to
>  allocating a too-small buffer which the caller would then write past the
>  end of. This would at least trigger server crashes, and probably could
>  be exploited for arbitrary code execution. In many but by no means all
>  cases, the hazard exists only in 32-bit builds.
> 
> - CVE-2026-6476
>  Properly quote subscription names in pg_createsubscriber
> 
>  The given subscription name was inserted into SQL commands without
>  quoting, so that SQL injection could be achieved in the (perhaps
>  unlikely) case that the subscription name comes from an untrusted
>  source.
> 
> - CVE-2026-6638
> 
>  Properly quote object names in logical replication origin checks
>  ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and
>  relation names into SQL commands without quoting them, allowing
>  execution of arbitrary SQL on the publisher.
> 
> - CVE-2026-6473
> 
>  Reject over-length options in ts_headline()
>  The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb
>  in length, but this was not checked for. An over-length value would
>  typically crash the server.
> 
> - CVE-2026-6474
> 
>  Guard against malicious time zone names in timeofday() and pg_strftime()
>  A crafted time zone setting could pass % sequences to snprintf(),
>  potentially causing crashes or disclosure of server memory. Another path
>  to similar results was to overflow the limited-size output buffer used
>  by pg_strftime().
> 
> - CVE-2026-6472
> 
>  When creating a multirange type, ensure the user has CREATE privilege on
>  the schema specified for the multirange type.
> 
>  The multirange type can be put into a different schema than its parent
>  range type, but we neglected to apply the required privilege check when
>  doing so.
> 
> - CVE-2026-6478
> 
>  Use timing-safe string comparisons in authentication code.
> 
>  Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking
>  passwords, hashes, etc. It is not known whether the data dependency of
>  those functions is usefully exploitable in any of these places, but in
>  the interests of safety, replace them.
> 
> - CVE-2026-6477
> 
>  Mark PQfn() as unsafe, and avoid using it within libpq
> 
>  For a non-integral result type, PQfn() is not passed the size of the
>  output buffer, so it cannot check that the data returned by the server
>  will fit. A malicious server could therefore overwrite client memory.
>  This is unfixable without an API change, so mark the function as
>  deprecated. Internally to libpq, use a variant version that can apply
>  the missing check.
> 
> - CVE-2026-6475
> 
>  Prevent path traversal in pg_basebackup and pg_rewind
> 
>  These applications failed to validate output file paths read from their
>  input, so that a malicious source could overwrite any file writable by
>  these applications. Constrain where data can be written by rejecting
>  paths that are absolute or contain parent-directory references.
> 
> - CVE-2026-6473
> 
>  Guard against field overflow within contrib/intarray's query_int type
>  and contrib/ltree's ltxtquery type.
> 
>  Parsing of these query structures did not check for overflow of 16-bit
>  fields, so that construction of an invalid query tree was possible.
>  This can crash the server when executing the query.
> 
> - CVE-2026-6473
> 
>  Guard against overly long values of contrib/ltree's lquery type.
> 
>  Values with more than 64K items caused internal overflows, potentially
>  resulting in stack smashes or wrong answers.
> 
> - CVE-2026-6637
> 
>  Prevent SQL injection and buffer overruns in contrib/spi.
> 
>  check_foreign_key() was insufficiently careful about quoting key
>  values, and also used fixed-length buffers for constructing queries.
>  While this module is only meant as example code, it still shouldn't
>  contain such dangerous errors.
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x. Thanks

> ---
>  package/postgresql/postgresql.hash | 4 ++--
>  package/postgresql/postgresql.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/postgresql/postgresql.hash b/package/postgresql/postgresql.hash
> index b7a2397f8f..48bbbd2443 100644
> --- a/package/postgresql/postgresql.hash
> +++ b/package/postgresql/postgresql.hash
> @@ -1,4 +1,4 @@
> -# From https://ftp.postgresql.org/pub/source/v17.8/postgresql-17.8.tar.bz2.sha256
> -sha256  a88d195dd93730452d0cfa1a11896720d6d1ba084bc2be7d7fc557fa4e4158a0  postgresql-17.8.tar.bz2
> +# From https://ftp.postgresql.org/pub/source/v17.10/postgresql-17.10.tar.bz2.sha256
> +sha256  078a03516dcdbdb705fecaf415ea3d13a956c589e46f09fed68a06fb00598c90  postgresql-17.10.tar.bz2
>  # License file, Locally calculated
>  sha256  3d6af92ff8a4c2cdf69afb1cf44edea727922f5cd0cf8b5f72b11cdecac8fdfd  COPYRIGHT
> diff --git a/package/postgresql/postgresql.mk b/package/postgresql/postgresql.mk
> index 9856d6423b..6f6f36702f 100644
> --- a/package/postgresql/postgresql.mk
> +++ b/package/postgresql/postgresql.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -POSTGRESQL_VERSION = 17.8
> +POSTGRESQL_VERSION = 17.10
>  POSTGRESQL_SOURCE = postgresql-$(POSTGRESQL_VERSION).tar.bz2
>  POSTGRESQL_SITE = https://ftp.postgresql.org/pub/source/v$(POSTGRESQL_VERSION)
>  POSTGRESQL_LICENSE = PostgreSQL
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2025.02.x] package/postgresql: security bump to v17.10

[Baruch Siach via buildroot]

Hi Thomas,

On Fri, May 29 2026, Thomas Perale via buildroot wrote:
> In reply of:
>> For more information about the release, see:
>>   - https://www.postgresql.org/docs/17/release-17-9.html
>>   - https://www.postgresql.org/docs/17/release-17-10.html
>> 
>> Fixes the following vulnerabilities:
>> 
>> - CVE-2026-6479:
>> 
>>  Prevent unbounded recursion while processing startup packets
>>  A malicious client could crash the connected backend by alternating
>>  rejected SSL and GSS encryption requests indefinitely.
>> 
>> - CVE-2026-6473
>> 
>>  Fix assorted integer overflows in memory-allocation calculations
>>  Various places were incautious about the possibility of integer overflow
>>  in calculations of how much memory to allocate. Overflow would lead to
>>  allocating a too-small buffer which the caller would then write past the
>>  end of. This would at least trigger server crashes, and probably could
>>  be exploited for arbitrary code execution. In many but by no means all
>>  cases, the hazard exists only in 32-bit builds.
>> 
>> - CVE-2026-6476
>>  Properly quote subscription names in pg_createsubscriber
>> 
>>  The given subscription name was inserted into SQL commands without
>>  quoting, so that SQL injection could be achieved in the (perhaps
>>  unlikely) case that the subscription name comes from an untrusted
>>  source.
>> 
>> - CVE-2026-6638
>> 
>>  Properly quote object names in logical replication origin checks
>>  ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and
>>  relation names into SQL commands without quoting them, allowing
>>  execution of arbitrary SQL on the publisher.
>> 
>> - CVE-2026-6473
>> 
>>  Reject over-length options in ts_headline()
>>  The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb
>>  in length, but this was not checked for. An over-length value would
>>  typically crash the server.
>> 
>> - CVE-2026-6474
>> 
>>  Guard against malicious time zone names in timeofday() and pg_strftime()
>>  A crafted time zone setting could pass % sequences to snprintf(),
>>  potentially causing crashes or disclosure of server memory. Another path
>>  to similar results was to overflow the limited-size output buffer used
>>  by pg_strftime().
>> 
>> - CVE-2026-6472
>> 
>>  When creating a multirange type, ensure the user has CREATE privilege on
>>  the schema specified for the multirange type.
>> 
>>  The multirange type can be put into a different schema than its parent
>>  range type, but we neglected to apply the required privilege check when
>>  doing so.
>> 
>> - CVE-2026-6478
>> 
>>  Use timing-safe string comparisons in authentication code.
>> 
>>  Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking
>>  passwords, hashes, etc. It is not known whether the data dependency of
>>  those functions is usefully exploitable in any of these places, but in
>>  the interests of safety, replace them.
>> 
>> - CVE-2026-6477
>> 
>>  Mark PQfn() as unsafe, and avoid using it within libpq
>> 
>>  For a non-integral result type, PQfn() is not passed the size of the
>>  output buffer, so it cannot check that the data returned by the server
>>  will fit. A malicious server could therefore overwrite client memory.
>>  This is unfixable without an API change, so mark the function as
>>  deprecated. Internally to libpq, use a variant version that can apply
>>  the missing check.
>> 
>> - CVE-2026-6475
>> 
>>  Prevent path traversal in pg_basebackup and pg_rewind
>> 
>>  These applications failed to validate output file paths read from their
>>  input, so that a malicious source could overwrite any file writable by
>>  these applications. Constrain where data can be written by rejecting
>>  paths that are absolute or contain parent-directory references.
>> 
>> - CVE-2026-6473
>> 
>>  Guard against field overflow within contrib/intarray's query_int type
>>  and contrib/ltree's ltxtquery type.
>> 
>>  Parsing of these query structures did not check for overflow of 16-bit
>>  fields, so that construction of an invalid query tree was possible.
>>  This can crash the server when executing the query.
>> 
>> - CVE-2026-6473
>> 
>>  Guard against overly long values of contrib/ltree's lquery type.
>> 
>>  Values with more than 64K items caused internal overflows, potentially
>>  resulting in stack smashes or wrong answers.
>> 
>> - CVE-2026-6637
>> 
>>  Prevent SQL injection and buffer overruns in contrib/spi.
>> 
>>  check_foreign_key() was insufficiently careful about quoting key
>>  values, and also used fixed-length buffers for constructing queries.
>>  While this module is only meant as example code, it still shouldn't
>>  contain such dangerous errors.
>> 
>> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
>
> Applied to 2025.02.x. Thanks

Not in 2025.02.x as of commit d2eda853cac ("{linux, linux-headers}: bump
6.12.x, 6.6.x, 6.1.x, 5.15.x, 5.10.x series").

baruch

>
>> ---
>>  package/postgresql/postgresql.hash | 4 ++--
>>  package/postgresql/postgresql.mk   | 2 +-
>>  2 files changed, 3 insertions(+), 3 deletions(-)
>> 
>> diff --git a/package/postgresql/postgresql.hash b/package/postgresql/postgresql.hash
>> index b7a2397f8f..48bbbd2443 100644
>> --- a/package/postgresql/postgresql.hash
>> +++ b/package/postgresql/postgresql.hash
>> @@ -1,4 +1,4 @@
>> -# From https://ftp.postgresql.org/pub/source/v17.8/postgresql-17.8.tar.bz2.sha256
>> -sha256  a88d195dd93730452d0cfa1a11896720d6d1ba084bc2be7d7fc557fa4e4158a0  postgresql-17.8.tar.bz2
>> +# From https://ftp.postgresql.org/pub/source/v17.10/postgresql-17.10.tar.bz2.sha256
>> +sha256  078a03516dcdbdb705fecaf415ea3d13a956c589e46f09fed68a06fb00598c90  postgresql-17.10.tar.bz2
>>  # License file, Locally calculated
>>  sha256  3d6af92ff8a4c2cdf69afb1cf44edea727922f5cd0cf8b5f72b11cdecac8fdfd  COPYRIGHT
>> diff --git a/package/postgresql/postgresql.mk b/package/postgresql/postgresql.mk
>> index 9856d6423b..6f6f36702f 100644
>> --- a/package/postgresql/postgresql.mk
>> +++ b/package/postgresql/postgresql.mk
>> @@ -4,7 +4,7 @@
>>  #
>>  ################################################################################
>>  
>> -POSTGRESQL_VERSION = 17.8
>> +POSTGRESQL_VERSION = 17.10
>>  POSTGRESQL_SOURCE = postgresql-$(POSTGRESQL_VERSION).tar.bz2
>>  POSTGRESQL_SITE = https://ftp.postgresql.org/pub/source/v$(POSTGRESQL_VERSION)
>>  POSTGRESQL_LICENSE = PostgreSQL
>> -- 
>> 2.54.0
>> 
>> _______________________________________________
>> buildroot mailing list
>> buildroot@buildroot.org
>> https://lists.buildroot.org/mailman/listinfo/buildroot
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2025.02.x] package/postgresql: security bump to v17.10

[Thomas Perale via buildroot]

Hi,

> Not in 2025.02.x as of commit d2eda853cac ("{linux, linux-headers}: bump
> 6.12.x, 6.6.x, 6.1.x, 5.15.x, 5.10.x series").
> 
> baruch

Fixed, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot