Security update for postgresql18 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0785-1 Final 1 1 2026-03-03T14:01:35Z current 2026-03-03T14:01:35Z 2026-03-03T14:01:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for postgresql18 This update for postgresql18 fixes the following issue: Update to version 18.3 (bsc#1258754). Regression fixes: - the substring() function raises an error 'invalid byte sequence for encoding' on non-ASCII text values if the source of that value is a database column (caused by CVE-2026-2006 fix). - a standby may halt and return an error 'could not access status of transaction'. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-785,SUSE-SLE-SERVER-12-SP5-LTSS-2026-785,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-785 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260785-1/ Link for SUSE-SU-2026:0785-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024533.html E-Mail link for SUSE-SU-2026:0785-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1258011 SUSE Bug 1258011 https://bugzilla.suse.com/1258754 SUSE Bug 1258754 https://www.suse.com/security/cve/CVE-2026-2006/ SUSE CVE CVE-2026-2006 page SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libecpg6-18.3-8.9.1 libecpg6-32bit-18.3-8.9.1 libecpg6-64bit-18.3-8.9.1 libpq5-18.3-8.9.1 libpq5-32bit-18.3-8.9.1 libpq5-64bit-18.3-8.9.1 postgresql18-18.3-8.9.1 postgresql18-contrib-18.3-8.9.1 postgresql18-devel-18.3-8.9.1 postgresql18-devel-mini-18.3-8.9.1 postgresql18-docs-18.3-8.9.1 postgresql18-llvmjit-devel-18.3-8.9.1 postgresql18-plperl-18.3-8.9.1 postgresql18-plpython-18.3-8.9.1 postgresql18-pltcl-18.3-8.9.1 postgresql18-server-18.3-8.9.1 postgresql18-server-devel-18.3-8.9.1 postgresql18-test-18.3-8.9.1 libecpg6-18.3-8.9.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libecpg6-32bit-18.3-8.9.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libpq5-18.3-8.9.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libpq5-32bit-18.3-8.9.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libecpg6-18.3-8.9.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libecpg6-32bit-18.3-8.9.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libpq5-18.3-8.9.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libpq5-32bit-18.3-8.9.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. CVE-2026-2006 SUSE Linux Enterprise Server 12 SP5-LTSS:libecpg6-18.3-8.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libecpg6-32bit-18.3-8.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libpq5-18.3-8.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libpq5-32bit-18.3-8.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libecpg6-18.3-8.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libecpg6-32bit-18.3-8.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpq5-18.3-8.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpq5-32bit-18.3-8.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260785-1/ https://www.suse.com/security/cve/CVE-2026-2006.html CVE-2026-2006 https://bugzilla.suse.com/1258011 SUSE Bug 1258011