Amazon Linux 2023 Security Advisory: ALAS2023-2026-1711
Advisory Released Date: 2026-05-15
Advisory Updated Date: 2026-05-25
Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. (CVE-2026-6477)
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. (CVE-2026-6478)
Affected Packages:
libpq
Issue Correction:
Run dnf update libpq --releasever 2023.11.20260514 or dnf update --advisory ALAS2023-2026-1711 --releasever 2023.11.20260514 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
libpq-devel-debuginfo-18.4-1.amzn2023.0.1.aarch64
libpq-debuginfo-18.4-1.amzn2023.0.1.aarch64
libpq-debugsource-18.4-1.amzn2023.0.1.aarch64
libpq-18.4-1.amzn2023.0.1.aarch64
libpq-devel-18.4-1.amzn2023.0.1.aarch64
src:
libpq-18.4-1.amzn2023.0.1.src
x86_64:
libpq-debuginfo-18.4-1.amzn2023.0.1.x86_64
libpq-debugsource-18.4-1.amzn2023.0.1.x86_64
libpq-devel-debuginfo-18.4-1.amzn2023.0.1.x86_64
libpq-18.4-1.amzn2023.0.1.x86_64
libpq-devel-18.4-1.amzn2023.0.1.x86_64