Release date:
2026-06-03 18:11:10 UTC
Description:
* SECURITY UPDATE: stack buffer overrun in libpq frontend large object interface via dangerous PQfn() with result_is_int=0
- debian/patches/CVE-2026-6477.patch: add buf_size parameter to
pqFunctionCall3() and introduce private PQnfn() wrapper to validate
that returned data fits in result_buf; update lo_read(), lo_lseek64()
and lo_tell64() to pass their buffer sizes in
src/interfaces/libpq/fe-exec.c, src/interfaces/libpq/fe-lobj.c,
src/interfaces/libpq/fe-protocol3.c, src/interfaces/libpq/libpq-int.h
and doc/src/sgml/libpq.sgml
- CVE-2026-6477
* SECURITY UPDATE: covert timing channel in MD5 password comparison allows recovery of user credentials via authentication timing observations
- debian/patches/CVE-2026-6478.patch: add timingsafe_bcmp() constant-time
comparison helper from upstream and replace timing-leaky memcmp()/strcmp()
in authentication paths (MD5 password verify, SCRAM ServerKey/StoredKey/
nonce checks, RADIUS response signature) in src/backend/libpq/auth.c,
src/backend/libpq/auth-scram.c, src/backend/libpq/crypt.c,
src/interfaces/libpq/fe-auth-scram.c, src/interfaces/libpq/Makefile,
src/include/port.h, src/port/Makefile and src/port/timingsafe_bcmp.c
- CVE-2026-6478
Updated packages:
-
libecpg-compat3-11_11.22-1~trixie+tuxcare.els10_amd64.deb
sha:9da7f4ab66e8e94fc7338bd46439e1b037506b5c
-
libecpg-dev-11_11.22-1~trixie+tuxcare.els10_amd64.deb
sha:5b83d097aec4a481c13d44f1e4b314509fa53b29
-
libecpg6-11_11.22-1~trixie+tuxcare.els10_amd64.deb
sha:37341288705935f663d3cbf71fee145a0393c0a3
-
libpgtypes3-11_11.22-1~trixie+tuxcare.els10_amd64.deb
sha:79b0cc7004ea5960acba0a08bca10afaf424de9a
-
libpq-dev-11_11.22-1~trixie+tuxcare.els10_amd64.deb
sha:82acbcba7da90ba286dfda17a726f22f3301d82e
-
libpq5-11_11.22-1~trixie+tuxcare.els10_amd64.deb
sha:d9357f2e2de28cf32c5eed6045e7a94a39f9ca3b
-
postgresql11_11.22-1~trixie+tuxcare.els10_amd64.deb
sha:546a080ea87eeade8d6d108ed959f72bc57d4ffc
-
postgresql11-client_11.22-1~trixie+tuxcare.els10_amd64.deb
sha:ce48dfd36b57161c13db70f735094b6f5ea7efc6
-
postgresql11-doc_11.22-1~trixie+tuxcare.els10_all.deb
sha:c29d72e53dbb0353393b9be5efee83b7e6b4b13b
-
postgresql11-plperl_11.22-1~trixie+tuxcare.els10_amd64.deb
sha:d91386acd58017080080f01f7a2fda25c30291b2
-
postgresql11-plpython3_11.22-1~trixie+tuxcare.els10_amd64.deb
sha:0553bdce7d585e9a4df5fa15c3271e64549e7356
-
postgresql11-pltcl_11.22-1~trixie+tuxcare.els10_amd64.deb
sha:13fa73fbf4c626242801660a9f47494839aa630e
-
postgresql11-server-dev_11.22-1~trixie+tuxcare.els10_amd64.deb
sha:9d6cc40790791630ba43c6a8fea73fe083459c28
-
libecpg-compat3-11_11.22-1~trixie+tuxcare.els10_arm64.deb
sha:3153c440a37dd3b719eee703a76f2fe39ca90d84
-
libecpg-dev-11_11.22-1~trixie+tuxcare.els10_arm64.deb
sha:8d74e32a69c9d68a9d39922bd993355e2d204c25
-
libecpg6-11_11.22-1~trixie+tuxcare.els10_arm64.deb
sha:f4e5e3fa6bd2a257bcc232f8d1fde23f3e2eaf3e
-
libpgtypes3-11_11.22-1~trixie+tuxcare.els10_arm64.deb
sha:fa7ff6d253b4ceb0e90cf2e65c3570ba210d6eb9
-
libpq-dev-11_11.22-1~trixie+tuxcare.els10_arm64.deb
sha:02e0b05a6e3d9f95eedf337f12d26121cbd3678c
-
libpq5-11_11.22-1~trixie+tuxcare.els10_arm64.deb
sha:92401313a3e99de32e9222a2d5adebffe990e989
-
postgresql11_11.22-1~trixie+tuxcare.els10_arm64.deb
sha:185011256f5c84a517cd1152bab69512716c096d
-
postgresql11-client_11.22-1~trixie+tuxcare.els10_arm64.deb
sha:54828b805c3644cca880e046b84efcc225de9294
-
postgresql11-doc_11.22-1~trixie+tuxcare.els10_all.deb
sha:c29d72e53dbb0353393b9be5efee83b7e6b4b13b
-
postgresql11-plperl_11.22-1~trixie+tuxcare.els10_arm64.deb
sha:c3df47a6fe8c4662c94f9ac8d2e45ed804922c61
-
postgresql11-plpython3_11.22-1~trixie+tuxcare.els10_arm64.deb
sha:d176e272820c728c8711ce40a3a9a9e3cf56e02c
-
postgresql11-pltcl_11.22-1~trixie+tuxcare.els10_arm64.deb
sha:fcfedd5c85671c1aa9131600d9fc835c94cf85eb
-
postgresql11-server-dev_11.22-1~trixie+tuxcare.els10_arm64.deb
sha:2ae66e81ea96ecee280f7627ae62aaae54ebff2f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
