{ "document": { "aggregate_severity": { "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2026-6473: integer overflow fixes across multiple vulnerable sites: formatting.c size calculations (mul_size), intarray/ltxtquery findoprnd() left-offset overflow, ltree lquery numvar/totallen overflow, and ts_headline option length overflow\n- CVE-2026-6474: timeofday / pg_strftime: guard against unsafe format codes and ensure null-termination on overflow\n- CVE-2026-6477: libpq: harden PQfn() / pqFunctionCall3 against server-controlled buffer overruns in lo_read()\n- CVE-2026-6478: authentication: add timingsafe_bcmp() helper and apply it in MD5 / RADIUS auth paths\n- CVE-2026-6637: refint contrib: prevent SQL injection and buffer overruns in check_primary_key / check_foreign_key", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779893321", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779893321" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/amazonlinux2els/advisories/2026/clsa-2026_1779893321.json" } ], "tracking": { "current_release_date": "2026-05-27T14:49:57Z", "generator": { "date": "2026-05-27T14:49:57Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1779893321", "initial_release_date": "2026-05-27T14:49:57Z", "revision_history": [ { "date": "2026-05-27T14:49:57Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "postgresql: Fix of 5 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "Amazon-Linux-2", "product_identification_helper": { "cpe": "cpe:2.3:o:amazon:amazon_linux:2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Amazon Linux" } ], "category": "vendor", "name": "Amazon Web Services, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product": { "name": "postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_id": "postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-devel@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product": { "name": "postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_id": "postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-static@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product": { "name": "postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_id": "postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-server@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product": { "name": "postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_id": "postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-plperl@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product": { "name": "postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_id": "postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-libs@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product": { "name": "postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_id": "postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-pltcl@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product": { "name": "postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_id": "postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-upgrade@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product": { "name": "postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_id": "postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product": { "name": "postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_id": "postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-docs@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product": { "name": "postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_id": "postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-contrib@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product": { "name": "postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_id": "postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-test@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product": { "name": "postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_id": "postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-plpython@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "product": { "name": "postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "product_id": "postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-libs@9.2.24-8.amzn2.0.9.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" }, "product_reference": "postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" }, "product_reference": "postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" }, "product_reference": "postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" }, "product_reference": "postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" }, "product_reference": "postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686" }, "product_reference": "postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" }, "product_reference": "postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" }, "product_reference": "postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" }, "product_reference": "postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" }, "product_reference": "postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" }, "product_reference": "postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" }, "product_reference": "postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" }, "product_reference": "postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-6637", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" }, "notes": [ { "category": "description", "text": "Stack buffer overflow in PostgreSQL module \"refint\" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a \"refint\" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.", "title": "Vulnerability description" } ], "product_status": { "fixed": [ "Amazon-Linux-2:postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-6637" }, { "category": "external", "summary": "https://www.postgresql.org/support/security/CVE-2026-6637/", "url": "https://www.postgresql.org/support/security/CVE-2026-6637/" } ], "release_date": "2026-05-14T14:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-27T14:48:43.956921Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779893321", "product_ids": [ "Amazon-Linux-2:postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779893321" } ], "threats": [ { "category": "impact", "details": "Low" } ] }, { "cve": "CVE-2026-6473", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.", "title": "Vulnerability description" } ], "product_status": { "fixed": [ "Amazon-Linux-2:postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-6473" }, { "category": "external", "summary": "https://www.postgresql.org/support/security/CVE-2026-6473/", "url": "https://www.postgresql.org/support/security/CVE-2026-6473/" } ], "release_date": "2026-05-14T14:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-27T14:48:43.956921Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779893321", "product_ids": [ "Amazon-Linux-2:postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779893321" } ], "threats": [ { "category": "impact", "details": "Low" } ] }, { "cve": "CVE-2026-6474", "cwe": { "id": "CWE-134", "name": "Use of Externally-Controlled Format String" }, "notes": [ { "category": "description", "text": "Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.", "title": "Vulnerability description" } ], "product_status": { "fixed": [ "Amazon-Linux-2:postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-6474" }, { "category": "external", "summary": "https://www.postgresql.org/support/security/CVE-2026-6474/", "url": "https://www.postgresql.org/support/security/CVE-2026-6474/" } ], "release_date": "2026-05-14T14:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-27T14:48:43.956921Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779893321", "product_ids": [ "Amazon-Linux-2:postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779893321" } ], "threats": [ { "category": "impact", "details": "Low" } ] }, { "cve": "CVE-2026-6477", "cwe": { "id": "CWE-242", "name": "Use of Inherently Dangerous Function" }, "notes": [ { "category": "description", "text": "Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \\lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.", "title": "Vulnerability description" } ], "product_status": { "fixed": [ "Amazon-Linux-2:postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-6477" }, { "category": "external", "summary": "https://www.postgresql.org/support/security/CVE-2026-6477/", "url": "https://www.postgresql.org/support/security/CVE-2026-6477/" } ], "release_date": "2026-05-14T14:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-27T14:48:43.956921Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779893321", "product_ids": [ "Amazon-Linux-2:postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779893321" } ], "threats": [ { "category": "impact", "details": "Low" } ] }, { "cve": "CVE-2026-6478", "cwe": { "id": "CWE-385", "name": "Covert Timing Channel" }, "notes": [ { "category": "description", "text": "Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.", "title": "Vulnerability description" } ], "product_status": { "fixed": [ "Amazon-Linux-2:postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-6478" }, { "category": "external", "summary": "https://www.postgresql.org/support/security/CVE-2026-6478/", "url": "https://www.postgresql.org/support/security/CVE-2026-6478/" } ], "release_date": "2026-05-14T14:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-27T14:48:43.956921Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779893321", "product_ids": [ "Amazon-Linux-2:postgresql-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-contrib-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-devel-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-docs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.i686", "Amazon-Linux-2:postgresql-libs-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plperl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-plpython-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-pltcl-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-server-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-static-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-test-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64", "Amazon-Linux-2:postgresql-upgrade-0:9.2.24-8.amzn2.0.9.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779893321" } ], "threats": [ { "category": "impact", "details": "Low" } ] } ] }