Log message:
postgresql1[4-8]: updated to 18.3, 17.9, 16.13, 15.17, 14.22

PostgreSQL 18.3, 17.9, 16.13, 15.17, and 14.22

Bug Fixes and Improvements

This update fixes several bugs that were reported since the previous release. \ 
The issues listed below affect PostgreSQL 18. Some of these issues may also \ 
affect other supported versions of PostgreSQL.

Fix issue where a standby would halt and return an error "could not access \ 
status of transaction".
Fix error where the substring() function would raise an error "invalid byte \ 
sequence for encoding" on non-ASCII text values if the source of that value \ 
is a database column. This was due to a change introduced for the fix to \ 
CVE-2026-2006.
Fix for the strict_word_similarity function in pg_trgm that could lead to \ 
incorrect output or crashes. This was due to an oversight in the fix for \ 
CVE-2026-2007.
Fix function volatility for json_strip_nulls() and jsonb_strip_nulls() to be \ 
immutable, like previous releases, allowing for them to be used in indexes. If \ 
you previously upgraded to PostgreSQL 18.0 through 18.2, see the additional \ 
steps in the "Updating" section.
Fix for NOT NULL tests in LATERAL UNION ALL subquery that could lead to wrong \ 
query output.
Avoid NOT NULL constraints from generating name conflicts with user-written \ 
constraints.
Fix pg_stat_get_backend_wait_event() and pg_stat_get_backend_wait_event_type() \ 
to report values for auxiliary processes, similar to pg_stat_activity.
Fix casting a composite-type variable to a domain type when returning its value \ 
from a PL/pgSQL function.
Fix the hstore binary input function to avoid crashes on input with duplicate keys.

Log message:
postgresql1[4-8]*: updated to 18.2, 17.8, 16.12, 15.16, and 14.21

PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21

Security Issues

CVE-2026-2003: PostgreSQL oidvector discloses a few bytes of memory

CVSS v3.1 Base Score: 4.3

Supported, Vulnerable Versions: 14 - 18.

Improper validation of type oidvector in PostgreSQL allows a database user to \ 
disclose a few bytes of server memory. We have not ruled out viability of \ 
attacks that arrange for presence of confidential information in disclosed \ 
bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, \ 
15.16, and 14.21 are affected.

The PostgreSQL project thanks Altan Birler for reporting this problem.

CVE-2026-2004: PostgreSQL intarray missing validation of type of input to \ 
selectivity estimator executes arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Missing validation of type of input in PostgreSQL intarray extension selectivity \ 
estimator function allows an object creator to execute arbitrary code as the \ 
operating system user running the database. Versions before PostgreSQL 18.2, \ 
17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Daniel Firer, as part of zeroday.cloud, for \ 
reporting this problem.

CVE-2026-2005: PostgreSQL pgcrypto heap buffer overflow executes arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to \ 
execute arbitrary code as the operating system user running the database. \ 
Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Team Xint Code, as part of zeroday.cloud, for \ 
reporting this problem.

CVE-2026-2006: PostgreSQL missing validation of multibyte character length \ 
executes arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Missing validation of multibyte character length in PostgreSQL text manipulation \ 
allows a database user to issue crafted queries that achieve a buffer overrun. \ 
That suffices to execute arbitrary code as the operating system user running the \ 
database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are \ 
affected.

The PostgreSQL project thanks Paul Gerste and Moritz Sanft, as part of \ 
zeroday.cloud, for reporting this problem.

CVE-2026-2007: PostgreSQL pg_trgm heap buffer overflow writes pattern onto \ 
server memory

CVSS v3.1 Base Score: 8.2

Supported, Vulnerable Versions: 18.

Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve \ 
unknown impacts via a crafted input string. The attacker has limited control \ 
over the byte patterns to be written, but we have not ruled out the viability of \ 
attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are \ 
affected.

The PostgreSQL project thanks Heikki Linnakangas for reporting this problem.

Bug Fixes and Improvements

This update fixes over 65 bugs that were reported in the last several months. \ 
The issues listed below affect PostgreSQL 18. Some of these issues may also \ 
affect other supported versions of PostgreSQL.

Fix inconsistent case-insensitive text matching in the ltree extension. If you \ 
use an index on an ltree column, in some cases you may need perform a reindex. \ 
See the "Updating" section for additional instructions.
Executing ALTER TABLE ... ADD CONSTRAINT to add a NOT NULL constraint on a \ 
column that already is marked as NOT NULL now requires the constraint name to \ 
match the existing constraint name.
Fix trigger behavior when MERGE is executed from a WITH query to include rows \ 
affected by the MERGE.
Several query planner fixes.
Fix for text substring search for non-deterministic collations.
Several fixes for NOTIFY error handling and reporting.
Use the correct ordering function in GIN index parallel builds.
Fix incorrect handling of incremental backups with tables larger than 1GB.
Fail recovery if WAL does not exist back to the redo point indicated by the \ 
checkpoint record.
Fix for ALTER PUBLICATION to ensure event triggers contain all set options.
Several fixes around replication slot initialization.
Don't advance replication slot after a logical replication parallel worker apply \ 
failure to prevent transaction loss on the subscriber.
Fix error reporting for SQL/JSON path type mismatches.
Fix JIT compilation function inlining when using LLVM 17 or later.
Add new server parameter file_extend_method to control use of posix_fallocate().
Fix psql tab completion for the VACUUM command options.
Fix pg_dump to handle concurrent sequence drops gracefully and to fail if the \ 
calling user explicitly lacks privileges to read the sequence.
Several fixes for amcheck around btree inspection.
Avoid crash in pg_stat_statements when an IN list contains both constants and \ 
non-constant expressions.
This release also updates time zone data files to tzdata release 2025c, which \ 
only has a historical data change for pre-1976 timestamps in Baja California.

Log message:
*: recursive bump for icu 78.1

Log message:
databases/postgresql: remove unknown configure options

Log message:
databases/postgresql: remove redundant PLIST from meta packages

Log message:
postgresql: updated to 18.1, 17.7, 16.11, 15.15, 14.20, 13.23

PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23

Security Issues
- CVE-2025-12817: PostgreSQL CREATE STATISTICS does not check for schema CREATE \ 
privilege
- CVE-2025-12818: PostgreSQL libpq undersizes allocations, via integer wraparound

Bug Fixes and Improvements

This update fixes over 50 bugs that were reported in the last several months. \ 
The issues listed below affect PostgreSQL 18. Some of these issues may also \ 
affect other supported versions of PostgreSQL.

Avoid returning duplicate rows from hash right semi-joins.
Avoid possible out-of-memory failures during parallel GIN index build.
Several fixes for BRIN indexes.
Fixes for crashes related to partitioned tables, including one occurring during \ 
a recheck.
Avoid duplicating hash partition constraints during DETACH CONCURRENTLY, which \ 
previously caused issues during dump/restore or if a parent table is dropped \ 
after the DETACH.
Disallow generated columns in partition keys and in COPY ... FROM ... WHERE clauses.
Fix incorrect reporting of replication lag in pg_stat_replication view.
Avoid failures when synchronized_standby_slots references nonexistent \ 
replication slots.
Avoid unwanted WAL receiver shutdown when switching from streaming to archive \ 
WAL source.
Avoid unnecessary invalidation of logical replication slots.
Correctly handle GROUP BY DISTINCT in PL/pgSQL assignment statements.
Avoid leaking memory when handling a SQL error within PL/Python.
Fix how libpq handles socket-related errors on Windows within its GSSAPI logic.
Fix dumping of non-inherited NOT NULL constraints on inherited table columns.
Ensure consistent ordering of foreign key constraints in the output of pg_dump.
Several fixes for pgbench error handling and reporting.
Fix memory leak in pg_combinebackup.
Allow nonsuperusers with SELECT privileges on a table to use pg_prewarm to \ 
prewarm indexes on that table.

Log message:
postgresql1[3-7]: updated to 17.6, 16.10, 15.14, 14.19, 13.22

PostgreSQL 17.6, 16.10, 15.14, 14.19, 13.22

Security Issues

CVE-2025-8713: PostgreSQL optimizer statistics can expose sampled data within a \ 
view, partition, or child table
CVE-2025-8714: PostgreSQL pg_dump lets superuser of origin server execute \ 
arbitrary code in psql client
CVE-2025-8715: PostgreSQL pg_dump newline in object name executes arbitrary code \ 
in psql client and in restore target server

Bug Fixes and Improvements

This update fixes over 55 bugs that were reported in the last several months. \ 
The issues listed below affect PostgreSQL 17. Some of these issues may also \ 
affect other supported versions of PostgreSQL.

Fix for BRIN indexes using the numeric_minmax_multi_ops operator class that \ 
could cause them to become bloated and inefficient. Please see the \ 
"Updating" section for instructions on how to fix these indexes.
Several fixes for logical replication, including fixes for memory allocation \ 
failure, duplicate transaction replay, infinite wait, unexpected shutdown, and a \ 
standby unable to shutdown.
Fix premature removal of old WAL during a checkpoint, which could impact \ 
recovery when using replication slots.
Revert a change that could reject XML documents over 10MB in size.
Fix how nested character classes (e.g. [[:alpha:]%_]) are handled in SIMILAR TO \ 
expressions.
Restore the ability for PL/pgSQL expressions to use parallel execution.
Avoid a rare scenario where a B-tree index could modify the wrong entry.
Several fixes for MERGE, including incorrect query results with concurrency and \ 
when targeting a table that is a parent in an inheritance hierarchy.
Fix LZ4 decompression failure that could occur on data that is not very compressible.
Prevent an infinite loop in checkpoints on systems with very large \ 
shared_buffers settings.
Fix issues with GSSAPI authentication when using Active Directory accounts with \ 
many group memberships. This release also fixes timing-dependent connection \ 
failures when using SSL or GSSAPI encryption in non-blocking mode.
Fix a crash in libpq function PQcancelCreate().
Fix several resource leaks.

Log message:
postgresql*: Add missing CONFLICTS patterns.

For some reason the version-specific patterns were dropped since the
postgresql10 import and cargo-culted around since then.  With this, the
latest pkgin is able to correctly upgrade php??-extensions from 2023Q4.