CVE-2025-12817
Missing authorization in PostgreSQL CREATE STATISTICS command
allows a table owner to achieve denial of service against other
CREATE STATISTICS users by creating in any schema. A later
CREATE STATISTICS for the same name, from a user having the
CREATE privilege, would then fail.
CVE-2025-12818
Integer wraparound in multiple PostgreSQL libpq client library
functions allows an application input provider or network peer
to cause libpq to undersize an allocation and write out-of-bounds
by hundreds of megabytes. This results in a segmentation fault
for the application using libpq.
For Debian 11 bullseye, these problems have been fixed in version
13.23-0+deb11u1.
We recommend that you upgrade your postgresql-13 packages.
For the detailed security status of postgresql-13 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/postgresql-13
Get the latest Linux and open source security news straight to your inbox.