Update to 16.13

- Fix CVE-2026-2004: PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code - Fix CVE-2026-2005: PostgreSQL pgcrypto heap buffer overflow executes arbitrary code - Fix CVE-2026-2006: PostgreSQL missing validation of multibyte character length executes arbitrary code Resolves: RHEL-149365 RHEL-149399 RHEL-149333 Made-with: Cursor
2026-02-16 14:40:51 +00:00 · 2026-02-16 14:40:51 +00:00 · 577fb4f335
commit 577fb4f335
parent caadcd6c6f
3 changed files with 17 additions and 6 deletions
--- a/.gitignore
+++ b/.gitignore
@ -21,3 +21,7 @@
 /postgresql-13.22.tar.bz2.sha256
 /postgresql-16.11.tar.bz2
 /postgresql-16.11.tar.bz2.sha256
+/postgresql-16.12.tar.bz2
+/postgresql-16.12.tar.bz2.sha256
+/postgresql-13.23.tar.bz2
+/postgresql-13.23.tar.bz2.sha256
--- a/postgresql16.spec
+++ b/postgresql16.spec
@ -47,7 +47,7 @@

 Summary: PostgreSQL client programs
 Name: %{majorname}%{majorversion}
-Version: %{majorversion}.11
+Version: %{majorversion}.13
 Release: 1%{?dist}

 # The PostgreSQL license is very similar to other MIT licenses, but the OSI
@ -60,7 +60,7 @@ Url: http://www.postgresql.org/
 # that this be kept up with the latest minor release of the previous series;
 # but update when bugs affecting pg_dump output are fixed.
 %global prevmajorversion 13
-%global prevversion %{prevmajorversion}.22
+%global prevversion %{prevmajorversion}.23
 %global prev_prefix %{_libdir}/pgsql/postgresql-%{prevmajorversion}
 %global precise_version %{?epoch:%epoch:}%version-%release

@ -1348,6 +1348,13 @@ make -C postgresql-setup-%{setup_version} check


 %changelog
+* Fri Feb 27 2026 Filip Janus <fjanus@redhat.com> - 16.13-1
+- Update to 16.13
+- Fix CVE-2026-2004: PostgreSQL intarray missing validation of type of input
+- Fix CVE-2026-2005: PostgreSQL pgcrypto heap buffer overflow
+- Fix CVE-2026-2006: PostgreSQL missing validation of multibyte character length
+- Resolves: RHEL-149365 RHEL-149399 RHEL-149333
+
 * Mon Dec 01 2025 Filip Janus <fjanus@redhat.com> - 16.11-1
 - Update to 16.11
 - Resolves: RHEL-128802 (CVE-2025-12818) [rhel-10.2]
--- a/8
+++ b/8
@ -1,5 +1,5 @@
-SHA512 (postgresql-16.11.tar.bz2) = f11f8f3e5855cfce27108a1bd2122c5a7a1ff37c6d9366d7a96a041aab67a4e4a31e54f0757b6b97c72d841acdcaa97d3eaa765213d4899b2cf7047c549012b8
-SHA512 (postgresql-16.11.tar.bz2.sha256) = 3c07dc85608f8cee5071bd7d404feff1c767afb468a8f41225b73d5df05334dca9a3465e16307a3b5b21c1a44684deab0c496fbd03b9d061e4a9559684876671
-SHA512 (postgresql-13.22.tar.bz2) = 0f578526aad852285de001369dd1c8308f03479c8f4f6c1a1d066b6b77103e340df95b9ab41df3f959c4e17d4fb0c0441b02a04d3e6c01cfcd40a2632c3ac7eb
-SHA512 (postgresql-13.22.tar.bz2.sha256) = e93c92f5bf1d091e7381abaf2d5076dec2390e5f65396eb887c92c50f7df659b296b1688991b8894b91bb409c616d4ce07312b115246b1a864e6b741172a6d7b
+SHA512 (postgresql-16.13.tar.bz2) = 3ea11b81ce55be5c3c169f0c94ddfa9debae6b3cbe7407086ba3a602fad7668900c2838d4d4488c671b2ccc670a9cd288ece90e42ecf8de953df6b4e103d286d
+SHA512 (postgresql-16.13.tar.bz2.sha256) = 0be6cc3fc1f0d358b63288f0f8029932ad90c1fc8d98867cc07e9d832c14228835d66f747c2105db7a7455976f5654a8592bb0b1de3baf91163fa108d8325ea6
+SHA512 (postgresql-13.23.tar.bz2) = 9589fe26d874eb91244b7325d997d5e54e93d61a13f63b7e9ef247c0ca6c8ade420487303295010b0c45d7775b64da076a2af14bdcb7a03702d06b5edf159c39
+SHA512 (postgresql-13.23.tar.bz2.sha256) = f4ef1da9ffbce1db074d2a76c87710d57139f013c8c43b7045eb986ec0c11219c5b72227fdc3765073733b694bcb25637797905c171003912944bb8110d322e5
 SHA512 (postgresql-setup-8.9.tar.gz) = 118e9ebf858722a38b0e90324bc1b49fc7058cda601ca0a7e78c94e7b95e89d6dbbc46f377626364b068614ced3cde3cb4733973ad2d71bf17892ad773657ef7