[SECURITY] [DLA 4420-1] postgresql-13 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4420-1] postgresql-13 security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Fri, 26 Dec 2025 02:31:47 +0530
Message-id: <[🔎] CAPP0f9744BqzH6BzPUrug25xOuboF5cDay3NpGdBTzk0o8niWw@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4420-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
December 26, 2025                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : postgresql-13
Version        : 13.23-0+deb11u1
CVE ID         : CVE-2025-12817 CVE-2025-12818

A couple of vulnerabilities were discovered in postgresql-13, the
widely-popular database management system:

CVE-2025-12817

    Missing authorization in PostgreSQL CREATE STATISTICS command
    allows a table owner to achieve denial of service against other
    CREATE STATISTICS users by creating in any schema. A later
    CREATE STATISTICS for the same name, from a user having the
    CREATE privilege, would then fail.

CVE-2025-12818

    Integer wraparound in multiple PostgreSQL libpq client library
    functions allows an application input provider or network peer
    to cause libpq to undersize an allocation and write out-of-bounds
    by hundreds of megabytes. This results in a segmentation fault
    for the application using libpq.

For Debian 11 bullseye, these problems have been fixed in version
13.23-0+deb11u1.

We recommend that you upgrade your postgresql-13 packages.

For the detailed security status of postgresql-13 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-13

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmlNpiAACgkQgj6WdgbD
S5a49g/+MdmEIHkumHIJ/WS+4YED7At9GsXIDVj/FLx5faYgasOUlkfaFXIf6K5a
T0hI9VWT6n8tUOk/SZu3mJk60PW3jXXYHY7E4naxcJIM17bwBQA+nHB+oaMFoRJp
FmH+2bAXcfHCWvsrP7GPU75FcPU8/cgTptDmxQRR9n7Xl7Z3LM2RjveLQfCEQswB
m6zTCS3yJBl904l+1SZanp+DPkYgWc/HuV4G6b5HPRbDEsbsLtF78ZbW4UXUY42J
zAjf1Uxf6u0UlYsIktLqVDfilpGxHP9kGB/fQKU3Evf+YtRHd3uZ4U4kQ84EbNwz
ZeLKbD7jqmVDn9maCyg7t3htinz+rpPdkQyhyT5Lp4iemKIo3Rx+lc+C81twqkZ0
p5aSuHIbW3MqcFql/jAK0dIy85yTlaSheX8y8KrtvRpKnxLFbsWc2QsDwaSfayxY
B87TzDsLQf2Rfitl0CaMI62kW1X3asKtAo99oRePVxMcVPb6LdptiGALFd3y+fcT
21wq5d4SuxOoLfs0wwhMpSUgolOheZy5T9hclHizBlVB5skN/jyoJ+o8eh2NuNX0
oKcQa/Ol2ejSpC42U6E98Ehl2dEQKz55znoIdLKaAkdRaMBzkibSCTfV4k6vYtlx
o4L4Ehh2L3FyuxCLU4s/aSr/u4M68yLi5P/UXZSb6/4sA54QDXM=
=TYQd
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4419-1] gst-plugins-good1.0 security update
Next by Date: [SECURITY] [DLA 4421-1] python-urllib3 security update
Previous by thread: [SECURITY] [DLA 4419-1] gst-plugins-good1.0 security update
Next by thread: [SECURITY] [DLA 4421-1] python-urllib3 security update
Index(es):
- Date
- Thread