From: Landry Breuil <landry@openbsd.org>
Subject: Re: Update: PostgreSQL 18.2
To: Jeremy Evans <jeremy@openbsd.org>
Cc: OpenBSD ports <ports@openbsd.org>
Date: Tue, 17 Feb 2026 10:05:23 +0100

Le Tue, Feb 17, 2026 at 08:37:55AM +0100, Landry Breuil a écrit :
> Le Tue, Feb 17, 2026 at 08:36:17AM +0100, Landry Breuil a écrit :
> > Le Mon, Feb 16, 2026 at 12:43:54PM -0800, Jeremy Evans a écrit :
> > > On 02/12 05:54, Jeremy Evans wrote:
> > > > This updates to the latest release of PostgreSQL.  In addition to the
> > > > usual bug fixes, there are some security fixes:
> > > > 
> > > > CVE-2026-2003: PostgreSQL oidvector discloses a few bytes of memory
> > > > 
> > > > CVE-2026-2004: PostgreSQL intarray missing validation of type of input
> > > > to selectivity estimator executes arbitrary code
> > > > 
> > > > CVE-2026-2005: PostgreSQL pgcrypto heap buffer overflow executes
> > > > arbitrary code
> > > > 
> > > > CVE-2026-2006: PostgreSQL missing validation of multibyte character
> > > > length executes arbitrary code
> > > > 
> > > > CVE-2026-2007: PostgreSQL pg_trgm heap buffer overflow writes pattern
> > > > onto server memory
> > > > 
> > > > Tested locally on amd64. OKs?
> > > 
> > > PostgreSQL announced an out-of-band release for next week to fix some
> > > regressions in 18.2. So instead of upgrading to 18.2, we can wait for
> > > 18.3.  For more details:
> > > https://www.postgresql.org/about/news/out-of-cycle-release-scheduled-for-february-26-2026-3241/
> > 
> > that's no big deal commiting what you have now for 18.2 and updating to
> > 18.3 on the 26. if you have the diff and tested it ...
> 
> Duh, not caffeinated enough. of course it makes somewhat sense to not
> update to 18.2, if it adds regressions... you're the one in the better
> position to judge :)
> 
here's the trivial diff for 17.8 for 7.8-stable, but it can wait for
17.9 next week.

Index: Makefile
===================================================================
RCS file: /cvs/ports/databases/postgresql/Makefile,v
diff -u -r1.311.2.1 Makefile
--- Makefile    15 Nov 2025 21:46:57 -0000      1.311.2.1
+++ Makefile    17 Feb 2026 09:04:08 -0000
@@ -5,7 +5,7 @@
 COMMENT-plpython=Python procedural language for PostgreSQL
 COMMENT-pg_upgrade=Support for upgrading PostgreSQL data from previous version

-VERSION=       17.7
+VERSION=       17.8
 PREV_MAJOR=    16
 DISTNAME=      postgresql-${VERSION}
 PKGNAME-main=  postgresql-client-${VERSION}
Index: distinfo
===================================================================
RCS file: /cvs/ports/databases/postgresql/distinfo,v
diff -u -r1.106.2.1 distinfo
--- distinfo    15 Nov 2025 21:46:57 -0000      1.106.2.1
+++ distinfo    17 Feb 2026 09:04:08 -0000
@@ -1,2 +1,2 @@
-SHA256 (postgresql-17.7.tar.gz) = Sp6UIE4mWykrCzZTTDhUPyT52W9UE86sSJ7wUwgq51I=
-SIZE (postgresql-17.7.tar.gz) = 28186920
+SHA256 (postgresql-17.8.tar.gz) = sDja3vrVTCqEWe7pFzakQxl3HuwCG/hf7Tznzx93VT4=
+SIZE (postgresql-17.8.tar.gz) = 28253258