Your message dated Thu, 14 May 2026 11:21:04 +0000
with message-id <[email protected]>
and subject line Bug#1124468: fixed in postgresql-18 18.4-1
has caused the Debian Bug report #1124468,
regarding postgresql-18: [INTL:zh] Chinese debconf templates translations
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124468: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124468
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: postgresql-18
Severity: wishlist
Tags: patch l10n
Please add the chinese debconf templates translations (attached).
Thanks
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the PACKAGE package.
# Yangfl <[email protected]>, 2026.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: \n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2026-01-01 07:04+0000\n"
"PO-Revision-Date: 2026-01-02 00:30+0800\n"
"Last-Translator: Yangfl <[email protected]>\n"
"Language-Team: 漢語 <[email protected]>\n"
"Language: zh_TW\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=1; plural=0;\n"
"X-Generator: Poedit 3.8\n"
#. Type: boolean
#. Description
#: ../postgresql-18.templates:1001
msgid "Remove PostgreSQL directories when package is purged?"
msgstr "清除套件時是否移除 PostgreSQL 目錄?"
#. Type: boolean
#. Description
#: ../postgresql-18.templates:1001
msgid ""
"Removing the PostgreSQL server package will leave existing database clusters "
"intact, i.e. their configuration, data, and log directories will not be "
"removed. On purging the package, the directories can optionally be removed."
msgstr ""
"移除 PostgreSQL 伺服器套件不會影響現有的資料庫集群,即其設定、資料和日誌目錄"
"不會被移除。在清除套件時,可以選擇移除這些目錄。"
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the PACKAGE package.
# Yangfl <[email protected]>, 2026.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: \n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2026-01-01 07:04+0000\n"
"PO-Revision-Date: 2026-01-02 00:29+0800\n"
"Last-Translator: Yangfl <[email protected]>\n"
"Language-Team: 汉语 <[email protected]>\n"
"Language: zh_CN\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=1; plural=0;\n"
"X-Generator: Poedit 3.8\n"
#. Type: boolean
#. Description
#: ../postgresql-18.templates:1001
msgid "Remove PostgreSQL directories when package is purged?"
msgstr "清除软件包时是否删除 PostgreSQL 目录?"
#. Type: boolean
#. Description
#: ../postgresql-18.templates:1001
msgid ""
"Removing the PostgreSQL server package will leave existing database clusters "
"intact, i.e. their configuration, data, and log directories will not be "
"removed. On purging the package, the directories can optionally be removed."
msgstr ""
"卸载 PostgreSQL 服务器软件包不会影响现有的数据库集群,即其配置、数据和日志目"
"录不会被删除。在清除软件包时,可以选择删除这些目录。"
--- End Message ---
--- Begin Message ---
Source: postgresql-18
Source-Version: 18.4-1
Done: Christoph Berg <[email protected]>
We believe that the bug you reported is fixed in the latest version of
postgresql-18, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Berg <[email protected]> (supplier of updated postgresql-18 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 May 2026 22:49:32 +0200
Source: postgresql-18
Architecture: source
Version: 18.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <[email protected]>
Changed-By: Christoph Berg <[email protected]>
Closes: 1124468
Changes:
postgresql-18 (18.4-1) unstable; urgency=medium
.
[ Christoph Berg ]
* New upstream version 18.4.
.
+ Prevent unbounded recursion while processing startup packets
(Michael Paquier)
.
A malicious client could crash the connected backend by alternating
rejected SSL and GSS encryption requests indefinitely.
.
The PostgreSQL Project thanks Calif.io (in collaboration with Claude and
Anthropic Research) for reporting this problem. (CVE-2026-6479)
.
+ Fix assorted integer overflows in memory-allocation calculations
(Tom Lane, Nathan Bossart, Heikki Linnakangas)
.
Various places were incautious about the possibility of integer overflow
in calculations of how much memory to allocate. Overflow would lead to
allocating a too-small buffer which the caller would then write past the
end of. This would at least trigger server crashes, and probably could
be exploited for arbitrary code execution. In many but by no means all
cases, the hazard exists only in 32-bit builds.
.
The PostgreSQL Project thanks Xint Code, Bruce Dang, Sven Klemm, and
Pavel Kohout for reporting these problems. (CVE-2026-6473)
.
+ Properly quote subscription names in pg_createsubscriber
(Nathan Bossart)
.
The given subscription name was inserted into SQL commands without
quoting, so that SQL injection could be achieved in the (perhaps
unlikely) case that the subscription name comes from an untrusted
source.
.
The PostgreSQL Project thanks Yu Kunpeng for reporting this problem.
(CVE-2026-6476)
.
+ Properly quote object names in logical replication origin checks
(Pavel Kohout)
.
ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and
relation names into SQL commands without quoting them, allowing
execution of arbitrary SQL on the publisher.
.
The PostgreSQL Project thanks Pavel Kohout for reporting this problem.
(CVE-2026-6638)
.
+ Reject over-length options in ts_headline() (Michael Paquier)
.
The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb
in length, but this was not checked for. An over-length value would
typically crash the server.
.
The PostgreSQL Project thanks Xint Code for reporting this problem.
(CVE-2026-6473)
.
+ Detect faulty input when restoring attribute MCV statistics
(Michael Paquier)
.
The statistics restore functions were insufficiently careful about
validating most-common-value statistics, and would accept values that
could crash the planner later on.
.
The PostgreSQL Project thanks Jeroen Gui for reporting this problem.
(CVE-2026-6575)
.
+ Guard against malicious time zone names in timeofday() and pg_strftime()
(Tom Lane)
.
A crafted time zone setting could pass % sequences to snprintf(),
potentially causing crashes or disclosure of server memory. Another
path to similar results was to overflow the limited-size output buffer
used by pg_strftime().
.
The PostgreSQL Project thanks Xint Code for reporting this problem.
(CVE-2026-6474)
.
+ When creating a multirange type, ensure the user has CREATE privilege on
the schema specified for the multirange type (Jelte Fennema-Nio)
.
The multirange type can be put into a different schema than its parent
range type, but we neglected to apply the required privilege check when
doing so.
.
The PostgreSQL Project thanks Jelte Fennema-Nio for reporting this
problem. (CVE-2026-6472)
.
+ Use timing-safe string comparisons in authentication code
(Michael Paquier)
.
Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking
passwords, hashes, etc. It is not known whether the data dependency of
those functions is usefully exploitable in any of these places, but in
the interests of safety, replace them.
.
The PostgreSQL Project thanks Joe Conway for reporting this problem.
(CVE-2026-6478)
.
+ Mark PQfn() as unsafe, and avoid using it within libpq (Nathan Bossart)
.
For a non-integral result type, PQfn() is not passed the size of the
output buffer, so it cannot check that the data returned by the server
will fit. A malicious server could therefore overwrite client memory.
This is unfixable without an API change, so mark the function as
deprecated. Internally to libpq, use a variant version that can apply
the missing check.
.
The PostgreSQL Project thanks Yu Kunpeng and Martin Heistermann for
reporting this problem. (CVE-2026-6477)
.
+ Prevent path traversal in pg_basebackup and pg_rewind (Michael Paquier)
.
These applications failed to validate output file paths read from their
input, so that a malicious source could overwrite any file writable by
these applications. Constrain where data can be written by rejecting
paths that are absolute or contain parent-directory references.
.
The PostgreSQL Project thanks XlabAI Team of Tencent Xuanwu Lab and
Valery Gubanov for reporting this problem. (CVE-2026-6475)
.
+ Guard against field overflow within contrib/intarray's query_int type
and contrib/ltree's ltxtquery type (Tom Lane)
.
Parsing of these query structures did not check for overflow of 16-bit
fields, so that construction of an invalid query tree was possible.
This can crash the server when executing the query.
.
The PostgreSQL Project thanks Xint Code for reporting this problem.
(CVE-2026-6473)
.
+ Guard against overly long values of contrib/ltree's lquery type
(Michael Paquier)
.
Values with more than 64K items caused internal overflows, potentially
resulting in stack smashes or wrong answers.
.
The PostgreSQL Project thanks Vergissmeinnicht, A1ex, and Jihe Wang for
reporting this problem. (CVE-2026-6473)
.
+ Prevent SQL injection and buffer overruns in contrib/spi
(Nathan Bossart)
.
check_foreign_key() was insufficiently careful about quoting key values,
and also used fixed-length buffers for constructing queries. While this
module is only meant as example code, it still shouldn't contain such
dangerous errors.
.
The PostgreSQL Project thanks Nikolay Samokhvalov for reporting this
problem. (CVE-2026-6637)
.
* Add zh_TW, zh_CN debconf translations. Thanks Yangfl! (Closes: #1124468)
.
[ Michael Banck ]
* Add patch that fixes TAP tests on hurd.
Checksums-Sha1:
3cb5ce320f0a528de4dcee5b610bf7706218b5f4 4752 postgresql-18_18.4-1.dsc
25d1499917475db9f3129a7f658b7b005b577da8 22567173
postgresql-18_18.4.orig.tar.bz2
4b5bf58abd2ce26266498df9b05d9baa8365eaa0 27900
postgresql-18_18.4-1.debian.tar.xz
Checksums-Sha256:
149b0158c6689dbb4fc924e5d80375f4a8595e0eea4fb512dc6aea397f220475 4752
postgresql-18_18.4-1.dsc
81a81ec695fb0c7901407defaa1d2f7973617154cf27ba74e3a7ab8e64436094 22567173
postgresql-18_18.4.orig.tar.bz2
1144b0f797277955a5b09c6bef1ff4030f2a9c7bf6285af53e7a2af78c193a73 27900
postgresql-18_18.4-1.debian.tar.xz
Files:
61fb00cf5dc05ed8bb67269cdc333c0d 4752 database optional
postgresql-18_18.4-1.dsc
f985597ebb8e71f338beb2bef974b6ed 22567173 database optional
postgresql-18_18.4.orig.tar.bz2
3ef451c68c131b9c8512be36c56fe613 27900 database optional
postgresql-18_18.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmoDJIoACgkQTFprqxLS
p66yyBAAkTIFqmzIyavvxjMnTB4hdtccIZygdUvwPUjyu2laNRL2UTn9/F47Bivl
cot1JmLx1HecYhIsUQX/ORdt7Qg5IUcRL5PDrRx8EeAHVK3ZPTsSHzJKmwxQ8qLg
yf/ldCpepWby70B/in4aqqCxhts3/i5CCZwpMY81SO70Emw7gjlPihQNCp07BYeN
FnP5cbDbH+ivRx1Q28VAWnrxE9mnQkM1+tiBWqWHDGvhC81GuN/I/GiLVLRr9sxC
rKLgCl7Vyv5ofSYUAmk9TYFqY3o+l6uwDOoOp2I3fET+fh8edPhFTM2nr4+RI9ve
8SXPffO5GtKkmDHJIy8Wl0MQVZ82uutaJfTANog2QXOAeqFGmyNO1sCG2jQAwqAH
kAGa1cakdjrtwPZ0p2QugaMhTXFBVf7ypNYhcKWflJ8iCHhICXQLXneua8ZQjW7z
suNDfJ2NmaLCqJ9oabwp6FOAcA9/05tdE/OlkLcOAwNSdSObAS7IRIWlCWVC4aYq
g92C6brw3p4i2Kt0X3WYjipPoVEHTWNIS92Npoj/qxMMnzwi/E1DkOV8MzXBNLuB
cpTs6wyIqEUD3/ZVlUOhf+hLeZtA3uow9nEFjqllZ2VDLZi0OPHo3U93z9Log7IB
8NbagV2LjU4bqpvf+Hci2ieIv97HisvEERCY9F440ILdHs1Iopc=
=/nHF
-----END PGP SIGNATURE-----
pgpJQQxBH2gNU.pgp
Description: PGP signature
--- End Message ---
