Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN803
_____________________________________________________________________

DATE                : 17/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PostgreSQL versions prior
                     to 18.1, 17.7, 16.11, 15.15, 14.20, 13.23.

=====================================================================
https://www.postgresql.org/about/news/postgresql-181-177-1611-1515-1420-and-1323-released-3171/
_____________________________________________________________________


PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 Released!
Posted on 2025-11-13 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Global Development Group has released an update to all
supported versions of PostgreSQL, including 18.1, 17.7, 16.11, 15.15,
14.20, and 13.23. This release fixes 2 security vulnerabilities and
over 50 bugs reported over the last several months.

For the full list of changes, please review the release notes.


PostgreSQL 13 EOL Notice

This is the final release of PostgreSQL 13. PostgreSQL 13 is now
end-of-life and will no longer receive security and bug fixes. If
you are running PostgreSQL 13 in a production environment, we
suggest that you make plans to upgrade to a newer, supported
version of PostgreSQL. Please see our versioning policy for more
information.


Security Issues

CVE-2025-12817: PostgreSQL CREATE STATISTICS does not check for
schema CREATE privilege

CVSS v3.1 Base Score: 3.1

Supported, Vulnerable Versions: 13 - 18.

Missing authorization in PostgreSQL CREATE STATISTICS command
allows a table owner to achieve denial of service against other
CREATE STATISTICS users by creating in any schema. A later
CREATE STATISTICS for the same name, from a user having the
CREATE privilege, would then fail. Versions before PostgreSQL
18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

The PostgreSQL project thanks Jelte Fennema-Nio for reporting
this problem.


CVE-2025-12818: PostgreSQL libpq undersizes allocations, via
integer wraparound

CVSS v3.1 Base Score: 5.9

Supported, Vulnerable Versions: 13 - 18.

Integer wraparound in multiple PostgreSQL libpq client library
functions allows an application input provider or network peer
to cause libpq to undersize an allocation and write out-of-bounds
by hundreds of megabytes. This results in a segmentation fault
for the application using libpq. Versions before PostgreSQL
18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

The PostgreSQL project thanks Aleksey Solovev (Positive
Technologies) for reporting this problem.


Bug Fixes and Improvements

This update fixes over 50 bugs that were reported in the last
several months. The issues listed below affect PostgreSQL 18.
Some of these issues may also affect other supported versions
of PostgreSQL.

    Avoid returning duplicate rows from hash right semi-joins.
    Avoid possible out-of-memory failures during parallel GIN
index build.
    Several fixes for BRIN indexes.
    Fixes for crashes related to partitioned tables, including
one occurring during a recheck.
    Avoid duplicating hash partition constraints during DETACH
CONCURRENTLY, which previously caused issues during dump/restore
or if a parent table is dropped after the DETACH.
    Disallow generated columns in partition keys and in
COPY ... FROM ... WHERE clauses.
    Fix incorrect reporting of replication lag in
pg_stat_replication view.
    Avoid failures when synchronized_standby_slots references
nonexistent replication slots.
    Avoid unwanted WAL receiver shutdown when switching from
streaming to archive WAL source.
    Avoid unnecessary invalidation of logical replication
slots.
    Correctly handle GROUP BY DISTINCT in PL/pgSQL assignment
statements.
    Avoid leaking memory when handling a SQL error within
PL/Python.
    Fix how libpq handles socket-related errors on Windows
within its GSSAPI logic.
    Fix dumping of non-inherited NOT NULL constraints on
inherited table columns.
    Ensure consistent ordering of foreign key constraints in
the output of pg_dump.
    Several fixes for pgbench error handling and reporting.
    Fix memory leak in pg_combinebackup.
    Allow nonsuperusers with SELECT privileges on a table to
use pg_prewarm to prewarm indexes on that table.


Updating

All PostgreSQL update releases are cumulative. As with other
minor releases, users are not required to dump and reload
their database or use pg_upgrade in order to apply this
update release; you may simply shutdown PostgreSQL and
update its binaries.

Users who have skipped one or more update releases may need
to run additional post-update steps; please see the release
notes from earlier versions for details.

For more details, please see the release notes.





=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================