SUSE-SU-2026:1946-1: important: Security update for postgresql18

SLE-UPDATES null at suse.de
Mon May 18 12:31:50 UTC 2026 

# Security update for postgresql18

Announcement ID: SUSE-SU-2026:1946-1  
Release Date: 2026-05-18T07:49:01Z  
Rating: important  
References:

  * bsc#1263804
  * bsc#1265172
  * bsc#1265173
  * bsc#1265174
  * bsc#1265175
  * bsc#1265176
  * bsc#1265177
  * bsc#1265178
  * bsc#1265179
  * bsc#1265180
  * bsc#1265181
  * bsc#1265182
  * jsc#PED-14820

  
Cross-References:

  * CVE-2026-6472
  * CVE-2026-6473
  * CVE-2026-6474
  * CVE-2026-6475
  * CVE-2026-6476
  * CVE-2026-6477
  * CVE-2026-6478
  * CVE-2026-6479
  * CVE-2026-6575
  * CVE-2026-6637
  * CVE-2026-6638

  
CVSS scores:

  * CVE-2026-6472 ( SUSE ):  5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  * CVE-2026-6472 ( NVD ):  5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  * CVE-2026-6473 ( SUSE ):  8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2026-6473 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2026-6474 ( SUSE ):  4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  * CVE-2026-6474 ( NVD ):  4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  * CVE-2026-6475 ( SUSE ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-6475 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-6476 ( SUSE ):  7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  * CVE-2026-6476 ( NVD ):  7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  * CVE-2026-6477 ( SUSE ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-6477 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-6478 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2026-6478 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2026-6479 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-6479 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-6575 ( SUSE ):  4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  * CVE-2026-6575 ( NVD ):  4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  * CVE-2026-6637 ( SUSE ):  8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2026-6637 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2026-6638 ( SUSE ):  3.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
  * CVE-2026-6638 ( NVD ):  3.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

  
Affected Products:

  * SUSE Linux Enterprise High Performance Computing 12 SP5
  * SUSE Linux Enterprise Server 12 SP5
  * SUSE Linux Enterprise Server 12 SP5 LTSS
  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  * SUSE Linux Enterprise Server for SAP Applications 12 SP5

  
  
An update that solves 11 vulnerabilities, contains one feature and has one
security fix can now be installed.

## Description:

This update for postgresql18 fixes the following issues

Update to version 18.4.

Security issues:

  * CVE-2026-6472: ensure the user has CREATE privilege on the schema specified
    (bsc#1265172).
  * CVE-2026-6473: integer overflows in memory-allocation calculations
    (bsc#1265173).
  * CVE-2026-6474: Guard against malicious time zone names (bsc#1265174).
  * CVE-2026-6475: Prevent path traversal in pg_basebackup and pg_rewind
    (bsc#1265175).
  * CVE-2026-6476: Properly quote subscription names in pg_createsubscriber
    (bsc#1265176).
  * CVE-2026-6477: Mark PQfn() as unsafe, and avoid using it within libpq
    (bsc#1265177).
  * CVE-2026-6478: Use timing-safe string comparisons in authentication code
    (bsc#1265178).
  * CVE-2026-6479: Prevent unbounded recursion while processing startup packets
    (bsc#1265179).
  * CVE-2026-6575: Detect faulty input when restoring attribute MCV statistics
    (bsc#1265180).
  * CVE-2026-6637: Prevent SQL injection and buffer overruns in contrib/spi
    (bsc#1265181).
  * CVE-2026-6638: Properly quote object names in logical replication origin
    checks (bsc#1265182).

Non security issue:

  * Get rid of update-alternatives for openSUSE/SLE 16.0 and newer to support
    immutable systems and transactional updates (jsc#PED-14820).
  * /usr/bin/pg_config is missing after migrating away from update-alternatives
    (bsc#1263804).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise Server 12 SP5 LTSS  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2026-1946=1

  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-1946=1

## Package List:

  * SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
    * libecpg6-debuginfo-18.4-8.12.1
    * libpq5-18.4-8.12.1
    * libpq5-debuginfo-18.4-8.12.1
    * libecpg6-18.4-8.12.1
  * SUSE Linux Enterprise Server 12 SP5 LTSS (s390x x86_64)
    * libpq5-debuginfo-32bit-18.4-8.12.1
    * libecpg6-32bit-18.4-8.12.1
    * libpq5-32bit-18.4-8.12.1
    * libecpg6-debuginfo-32bit-18.4-8.12.1
  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
    * libpq5-18.4-8.12.1
    * libecpg6-18.4-8.12.1
    * libpq5-debuginfo-18.4-8.12.1
    * libecpg6-debuginfo-32bit-18.4-8.12.1
    * libpq5-32bit-18.4-8.12.1
    * libpq5-debuginfo-32bit-18.4-8.12.1
    * libecpg6-debuginfo-18.4-8.12.1
    * libecpg6-32bit-18.4-8.12.1

## References:

  * https://www.suse.com/security/cve/CVE-2026-6472.html
  * https://www.suse.com/security/cve/CVE-2026-6473.html
  * https://www.suse.com/security/cve/CVE-2026-6474.html
  * https://www.suse.com/security/cve/CVE-2026-6475.html
  * https://www.suse.com/security/cve/CVE-2026-6476.html
  * https://www.suse.com/security/cve/CVE-2026-6477.html
  * https://www.suse.com/security/cve/CVE-2026-6478.html
  * https://www.suse.com/security/cve/CVE-2026-6479.html
  * https://www.suse.com/security/cve/CVE-2026-6575.html
  * https://www.suse.com/security/cve/CVE-2026-6637.html
  * https://www.suse.com/security/cve/CVE-2026-6638.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1263804
  * https://bugzilla.suse.com/show_bug.cgi?id=1265172
  * https://bugzilla.suse.com/show_bug.cgi?id=1265173
  * https://bugzilla.suse.com/show_bug.cgi?id=1265174
  * https://bugzilla.suse.com/show_bug.cgi?id=1265175
  * https://bugzilla.suse.com/show_bug.cgi?id=1265176
  * https://bugzilla.suse.com/show_bug.cgi?id=1265177
  * https://bugzilla.suse.com/show_bug.cgi?id=1265178
  * https://bugzilla.suse.com/show_bug.cgi?id=1265179
  * https://bugzilla.suse.com/show_bug.cgi?id=1265180
  * https://bugzilla.suse.com/show_bug.cgi?id=1265181
  * https://bugzilla.suse.com/show_bug.cgi?id=1265182
  * https://jira.suse.com/browse/PED-14820

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260518/32be5b2d/attachment.htm>

More information about the sle-updates mailing list