rpms/postgresql16

Fork 0

[security][HIGH] postgresql16 16.9: 3 CVE require triage #1

New issue

Closed

opened 2026-04-29 04:37:10 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-04-29 04:37:10 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: postgresql16
Version: 16.9
EVR: 16.9-1
Category: database
Policy class: service
NiceOS policy class: -
Owner: base-team
Severity: HIGH
Max CVSS: 8.8
CVE count: 3

LLM recommendation / Рекомендация LLM

RU

Выявлено три критических уязвимости (CVE-2026-2004, CVE-2026-2005, CVE-2026-2006) в PostgreSQL 16.9, позволяющие выполнение произвольного кода от имени пользователя ОС. Текущая версия пакета (16.9) не соответствует минимальной исправленной версии (16.12).

Немедленно обновить пакет postgresql16 до версии 16.12 или новее для устранения всех уязвимостей. Проверить наличие патчей в репозиториях НАЙС.ОС.

Рекомендуемое действие: update_package

Подсказка по целевой версии: 16.12

Проверки: 1. Проверить версию установленного пакета: rpm -q postgresql16. 2. Убедиться, что версия >= 16.12. 3. Проверить целостность обновлений: rpm -Va. 4. Протестировать работу баз данных после обновления.

Риски: Полный контроль над сервером базы данных злоумышленником, возможность кражи данных, модификации конфигурации и использования ресурсов системы. Высокая вероятность эксплуатации в условиях атаки на веб-приложения, использующие PostgreSQL.

EN

Three critical vulnerabilities (CVE-2026-2004, CVE-2026-2005, CVE-2026-2006) identified in PostgreSQL 16.9 allowing arbitrary code execution as the OS user. Current package version (16.9) does not meet the minimum fixed version (16.12).

Immediately update the postgresql16 package to version 16.12 or later to mitigate all vulnerabilities. Verify patch availability in НАЙС.ОС repositories.

Recommended action: update_package

Target version hint: 16.12

Tests: 1. Check installed package version: rpm -q postgresql16. 2. Ensure version >= 16.12. 3. Verify update integrity: rpm -Va. 4. Test database functionality after update.

Risks: Complete control of the database server by an attacker, potential data theft, configuration modification, and resource usage. High likelihood of exploitation in attacks targeting web applications using PostgreSQL.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2026-2004	HIGH	8.8	cpe-range	needs_triage	package version is inside version range
CVE-2026-2005	HIGH	8.8	cpe-range	needs_triage	package version is inside version range
CVE-2026-2006	HIGH	8.8	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2026-2004

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CVE-2026-2005

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CVE-2026-2006

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2026-2004",
    "CVE-2026-2005",
    "CVE-2026-2006"
  ],
  "fingerprint": "45a028e8a2f7ab168856",
  "generated_at": "2026-04-29T01:37:09Z",
  "package": "postgresql16",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "16.9"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `postgresql16` - Version: `16.9` - EVR: `16.9-1` - Category: `database` - Policy class: `service` - NiceOS policy class: `-` - Owner: `base-team` - Severity: `HIGH` - Max CVSS: `8.8` - CVE count: `3` ## LLM recommendation / Рекомендация LLM ### RU Выявлено три критических уязвимости (CVE-2026-2004, CVE-2026-2005, CVE-2026-2006) в PostgreSQL 16.9, позволяющие выполнение произвольного кода от имени пользователя ОС. Текущая версия пакета (16.9) не соответствует минимальной исправленной версии (16.12). Немедленно обновить пакет postgresql16 до версии 16.12 или новее для устранения всех уязвимостей. Проверить наличие патчей в репозиториях НАЙС.ОС. **Рекомендуемое действие:** `update_package` **Подсказка по целевой версии:** `16.12` **Проверки:** 1. Проверить версию установленного пакета: rpm -q postgresql16. 2. Убедиться, что версия >= 16.12. 3. Проверить целостность обновлений: rpm -Va. 4. Протестировать работу баз данных после обновления. **Риски:** Полный контроль над сервером базы данных злоумышленником, возможность кражи данных, модификации конфигурации и использования ресурсов системы. Высокая вероятность эксплуатации в условиях атаки на веб-приложения, использующие PostgreSQL. ### EN Three critical vulnerabilities (CVE-2026-2004, CVE-2026-2005, CVE-2026-2006) identified in PostgreSQL 16.9 allowing arbitrary code execution as the OS user. Current package version (16.9) does not meet the minimum fixed version (16.12). Immediately update the postgresql16 package to version 16.12 or later to mitigate all vulnerabilities. Verify patch availability in НАЙС.ОС repositories. **Recommended action:** `update_package` **Target version hint:** `16.12` **Tests:** 1. Check installed package version: rpm -q postgresql16. 2. Ensure version >= 16.12. 3. Verify update integrity: rpm -Va. 4. Test database functionality after update. **Risks:** Complete control of the database server by an attacker, potential data theft, configuration modification, and resource usage. High likelihood of exploitation in attacks targeting web applications using PostgreSQL. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2026-2004 | HIGH | 8.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-2005 | HIGH | 8.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-2006 | HIGH | 8.8 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2026-2004 Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. ### CVE-2026-2005 Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. ### CVE-2026-2006 Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2026-2004", "CVE-2026-2005", "CVE-2026-2006" ], "fingerprint": "45a028e8a2f7ab168856", "generated_at": "2026-04-29T01:37:09Z", "package": "postgresql16", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "16.9" } ```

sbelikov added the

labels

2026-04-29 04:37:10 +03:00

sbelikov commented

2026-04-29 22:21:06 +03:00

Author

Owner

Closing as fixed by updating postgresql16 within the PostgreSQL 16 stable major series.

Security triage result:

postgresql16 16.9-1 was affected by the CVEs listed in this issue. The minimum fixed PostgreSQL 16 release is 16.12, but the NiceOS target was moved to 16.13 because it stays within the same PostgreSQL 16 major series and includes follow-up minor fixes after 16.12.

Update result:

postgresql16 16.9 → 16.13
PostgreSQL major series preserved: 16.x
No migration to PostgreSQL 17/18
No pg_upgrade / dump-restore required for this normal minor update path

CVE status:

CVE-2026-2004: fixed in PostgreSQL 16.12.
CVE-2026-2005: fixed in PostgreSQL 16.12.
CVE-2026-2006: fixed in PostgreSQL 16.12.

NiceOS policy decision:

PostgreSQL is kept inside the NiceOS 5.2 postgresql16 line. This security update does not change the PostgreSQL major version and does not introduce a service migration to PostgreSQL 17/18.

Validation checklist:

rpm -q postgresql16
postgres --version
psql --version
pg_config --version

tmpdir="$(mktemp -d)"
initdb -D "$tmpdir/data"
pg_ctl -D "$tmpdir/data" -o "-p 55432" -l "$tmpdir/log" start
psql -p 55432 -d postgres -c "SELECT version();"
psql -p 55432 -d postgres -c "CREATE EXTENSION IF NOT EXISTS intarray;"
psql -p 55432 -d postgres -c "CREATE EXTENSION IF NOT EXISTS pgcrypto;"
psql -p 55432 -d postgres -c "SELECT crypt('niceos', gen_salt('bf'));"
pg_ctl -D "$tmpdir/data" stop
rm -rf "$tmpdir"

Closure condition:

Close as fixed after rpms/postgresql16, Core/postgresql16, and niceos-package-index confirm postgresql16 16.13-1.

Closing as fixed by updating `postgresql16` within the PostgreSQL 16 stable major series. Security triage result: `postgresql16 16.9-1` was affected by the CVEs listed in this issue. The minimum fixed PostgreSQL 16 release is `16.12`, but the NiceOS target was moved to `16.13` because it stays within the same PostgreSQL 16 major series and includes follow-up minor fixes after `16.12`. Update result: * `postgresql16 16.9 → 16.13` * PostgreSQL major series preserved: `16.x` * No migration to PostgreSQL 17/18 * No `pg_upgrade` / dump-restore required for this normal minor update path CVE status: * `CVE-2026-2004`: fixed in PostgreSQL `16.12`. * `CVE-2026-2005`: fixed in PostgreSQL `16.12`. * `CVE-2026-2006`: fixed in PostgreSQL `16.12`. NiceOS policy decision: PostgreSQL is kept inside the NiceOS 5.2 `postgresql16` line. This security update does not change the PostgreSQL major version and does not introduce a service migration to PostgreSQL 17/18. Validation checklist: ```bash rpm -q postgresql16 postgres --version psql --version pg_config --version tmpdir="$(mktemp -d)" initdb -D "$tmpdir/data" pg_ctl -D "$tmpdir/data" -o "-p 55432" -l "$tmpdir/log" start psql -p 55432 -d postgres -c "SELECT version();" psql -p 55432 -d postgres -c "CREATE EXTENSION IF NOT EXISTS intarray;" psql -p 55432 -d postgres -c "CREATE EXTENSION IF NOT EXISTS pgcrypto;" psql -p 55432 -d postgres -c "SELECT crypt('niceos', gen_salt('bf'));" pg_ctl -D "$tmpdir/data" stop rm -rf "$tmpdir" ``` Closure condition: Close as fixed after `rpms/postgresql16`, `Core/postgresql16`, and `niceos-package-index` confirm `postgresql16 16.13-1`.

sbelikov closed this issue

2026-04-29 22:21:06 +03:00