postgresql-18 (18.2-1) unstable; urgency=medium

  * New upstream version 18.2.

    + Guard against unexpected dimensions of oidvector/int2vector (Tom Lane)

      These data types are expected to be 1-dimensional arrays containing no
      nulls, but there are cast pathways that permit violating those
      expectations.  Add checks to some functions that were depending on those
      expectations without verifying them, and could misbehave in consequence.

      The PostgreSQL Project thanks Altan Birler for reporting this problem.
      (CVE-2026-2003)

    + Harden selectivity estimators against being attached to operators that
      accept unexpected data types (Tom Lane)

      contrib/intarray contained a selectivity estimation function that could
      be abused for arbitrary code execution, because it did not check that
      its input was of the expected data type.  Third-party extensions should
      check for similar hazards and add defenses using the technique intarray
      now uses. Since such extension fixes will take time, we now require
      superuser privilege to attach a non-built-in selectivity estimator to an
      operator.

      The PostgreSQL Project thanks Daniel Firer, as part of zeroday.cloud,
      for reporting this problem. (CVE-2026-2004)

    + Fix buffer overrun in contrib/pgcrypto's PGP decryption functions
      (Michael Paquier)

      Decrypting a crafted message with an overlength session key caused a
      buffer overrun, with consequences as bad as arbitrary code execution.

      The PostgreSQL Project thanks Team Xint Code, as part of zeroday.cloud,
      for reporting this problem. (CVE-2026-2005)

    + Fix inadequate validation of multibyte character lengths
      (Thomas Munro, Noah Misch)

      Assorted bugs allowed an attacker able to issue crafted SQL to overrun
      string buffers, with consequences as bad as arbitrary code execution.
      After these fixes, applications may observe invalid byte sequence for
      encoding errors when string functions process invalid text that has been
      stored in the database.

      The PostgreSQL Project thanks Paul Gerste and Moritz Sanft, as part of
      zeroday.cloud, for reporting this problem. (CVE-2026-2006)

    + Harden contrib/pg_trgm against changes in string lowercasing behavior
      (Heikki Linnakangas)

      Fix potential buffer overruns arising from the fact that in some locales
      lower-casing a string can produce more characters (not bytes) than were
      in the original.  That behavior is new in version 18, and so is the bug.

      The PostgreSQL Project thanks Heikki Linnakangas for reporting this
      problem. (CVE-2026-2007)

  * Remove pg_numa_init and LLVM 21 patches, merged upstream.

 -- Christoph Berg <myon@debian.org>  Tue, 10 Feb 2026 11:26:19 +0100

postgresql-18 (18.1-2) unstable; urgency=medium

  * Fix build with LLVM 21.

 -- Christoph Berg <myon@debian.org>  Thu, 11 Dec 2025 17:37:16 +0100

postgresql-18 (18.1-1) unstable; urgency=medium

  * New upstream version 18.1.

    + Check for CREATE privileges on the schema in CREATE STATISTICS
      (Jelte Fennema-Nio)

      This omission allowed table owners to create statistics in any schema,
      potentially leading to unexpected naming conflicts.

      The PostgreSQL Project thanks Jelte Fennema-Nio for reporting this
      problem. (CVE-2025-12817)

    + Avoid integer overflow in allocation-size calculations within libpq
      (Jacob Champion)

      Several places in libpq were not sufficiently careful about computing
      the required size of a memory allocation.  Sufficiently large inputs
      could cause integer overflow, resulting in an undersized buffer, which
      would then lead to writing past the end of the buffer.

      The PostgreSQL Project thanks Aleksey Solovev of Positive Technologies
      for reporting this problem. (CVE-2025-12818)

  * Handle EPERM in pg_numa_init.
  * Test-Depend on postgresql-common-dev.

 -- Christoph Berg <myon@debian.org>  Tue, 11 Nov 2025 13:05:55 +0100

postgresql-18 (18.0-1) unstable; urgency=medium

  * PostgreSQL 18.0.
  * B-D on openssl.

 -- Christoph Berg <myon@debian.org>  Tue, 23 Sep 2025 21:46:05 +0200

postgresql-18 (18~rc1-3) unstable; urgency=medium

  * libpq.pc: Drop libcurl from Requires.private.

 -- Christoph Berg <myon@debian.org>  Tue, 23 Sep 2025 17:12:07 +0200

postgresql-18 (18~rc1-2) unstable; urgency=medium

  * Upload to unstable in preparation of 18.0 release.
  * B-D on postgresql-common-dev instead of -common.
  * Drop move-pages32 patch, upstream had a different fix already.

 -- Christoph Berg <myon@debian.org>  Mon, 22 Sep 2025 12:37:17 +0200

postgresql-18 (18~rc1-1) experimental; urgency=medium

  * New upstream version 18rc1.
  * libpq-oauth.lintian-overrides: Package is a plugin.

 -- Christoph Berg <myon@debian.org>  Wed, 13 Aug 2025 23:37:10 +0200

postgresql-18 (18~beta3-1) experimental; urgency=medium

  * New upstream version 18beta3.
  * Drop obsolete patches: focal-arm64-outline-atomics, jit-s390x.

 -- Christoph Berg <myon@debian.org>  Tue, 12 Aug 2025 12:08:31 +0200

postgresql-18 (18~beta2-1) experimental; urgency=medium

  * New upstream version 18beta2.
  * Drop hurd-iovec patch, implemented upstream.
  * debian/libpq5.symbols: Remove PQservice (introduced earlier in 18).

 -- Christoph Berg <myon@debian.org>  Fri, 18 Jul 2025 12:48:48 +0200

postgresql-18 (18~beta1+20250701-1) experimental; urgency=medium

  * New upstream snapshot.

 -- Christoph Berg <myon@debian.org>  Tue, 01 Jul 2025 11:36:41 +0200

postgresql-18 (18~beta1+20250624-1) experimental; urgency=medium

  * New upstream snapshot.
  * Restrict libpq-oauth and B-D: libnuma-dev to [linux-any].
  * Work around a Linux 32-bit bug in move_pages on 64-bit kernels.
  * Add Turkish debconf translation by Atila KOÇ, thanks! (Closes: #1107984)
  * Add Catalan debconf translation by Carles Pina i Estany, thanks!

 -- Christoph Berg <myon@debian.org>  Mon, 23 Jun 2025 14:37:14 +0200

postgresql-18 (18~beta1+20250612-1) experimental; urgency=medium

  * New upstream snapshot.
  * Add B-D on libnuma-dev.

 -- Christoph Berg <myon@debian.org>  Fri, 06 Jun 2025 14:29:17 +0200

postgresql-18 (18~beta1-1) experimental; urgency=medium

  * First beta version.

 -- Christoph Berg <myon@debian.org>  Tue, 06 May 2025 20:28:58 +0200

postgresql-18 (18~~devel.20250502-1) experimental; urgency=medium

  * Split libpq-oauth into a separate package so libpq5 does not have to
    depend on libcurl.

 -- Christoph Berg <myon@debian.org>  Fri, 02 May 2025 10:39:45 +0200

postgresql-18 (18~~devel.20250421-1) experimental; urgency=medium

  * New upstream snapshot.

 -- Christoph Berg <myon@debian.org>  Mon, 21 Apr 2025 21:07:47 +0200

postgresql-18 (18~~devel.20250405-1) experimental; urgency=medium

  * New upstream snapshot.
  * B-D on liburing-dev.

 -- Christoph Berg <myon@debian.org>  Wed, 02 Apr 2025 15:15:38 +0200

postgresql-18 (18~~devel.20250331-1) experimental; urgency=medium

  * New upstream snapshot.
  * Drop extension_destdir patch, implemented upstream as
    extension_control_path.
  * Disable JIT on loong64 and riscv64 again, still segfaulting.

 -- Christoph Berg <myon@debian.org>  Wed, 19 Mar 2025 15:47:26 +0100

postgresql-18 (18~~devel.20250318+g4078da6c478-1) experimental; urgency=medium

  * New major upstream version 18; packaging based on postgresql-17.
  * Move JIT to new postgresql-18-jit package. (Closes: #927182)
  * Enable JIT only on 64-bit architectures.

 -- Christoph Berg <myon@debian.org>  Tue, 18 Mar 2025 16:43:43 +0100
