oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

PostgreSQL releases fixes for CVE-2025-12817 & CVE-2025-12818

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 14 Nov 2025 10:27:52 -0800
https://www.postgresql.org/about/news/postgresql-181-177-1611-1515-1420-and-1323-released-3171/
announces:


PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 Released!
---------------------------------------------------------------
Posted on 2025-11-13 by PostgreSQL Global Development Group

The PostgreSQL Global Development Group has released an update to all supported
versions of PostgreSQL, including 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23.
This release fixes 2 security vulnerabilities and over 50 bugs reported over
the last several months.

For the full list of changes, please review the release notes:
https://www.postgresql.org/docs/release/

PostgreSQL 13 EOL Notice
------------------------
This is the final release of PostgreSQL 13. PostgreSQL 13 is now end-of-life
and will no longer receive security and bug fixes. If you are running
PostgreSQL 13 in a production environment, we suggest that you make plans to
upgrade to a newer, supported version of PostgreSQL. Please see our versioning
policy for more information:
https://www.postgresql.org/support/versioning/

Security Issues
---------------
CVE-2025-12817: PostgreSQL CREATE STATISTICS does not check for schema CREATE
privilege <https://www.postgresql.org/support/security/CVE-2025-12817/>

CVSS v3.1 Base Score: 3.1

Supported, Vulnerable Versions: 13 - 18.

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table
owner to achieve denial of service against other CREATE STATISTICS users by
creating in any schema. A later CREATE STATISTICS for the same name, from a
user having the CREATE privilege, would then fail. Versions before PostgreSQL
18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.


CVE-2025-12818: PostgreSQL libpq undersizes allocations, via integer wraparound
<https://www.postgresql.org/support/security/CVE-2025-12818/>

CVSS v3.1 Base Score: 5.9

Supported, Vulnerable Versions: 13 - 18.

Integer wraparound in multiple PostgreSQL libpq client library functions allows
an application input provider or network peer to cause libpq to undersize an
allocation and write out-of-bounds by hundreds of megabytes. This results in a
segmentation fault for the application using libpq. Versions before PostgreSQL
18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

The PostgreSQL project thanks Aleksey Solovev (Positive Technologies) for
reporting this problem.



--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Previous By Date Next
Previous By Thread Next

Current thread: