Amazon Linux 2 Security Advisory: ALAS2POSTGRESQL14-2026-023
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08
Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. (CVE-2026-6477)
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. (CVE-2026-6478)
Affected Packages:
libpq
Note:
This advisory is applicable to Amazon Linux 2 - Postgresql14 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update libpq or yum update --advisory ALAS2POSTGRESQL14-2026-023 to update your system.
aarch64:
libpq-14.23-1.amzn2.0.1.aarch64
libpq-devel-14.23-1.amzn2.0.1.aarch64
libpq-debuginfo-14.23-1.amzn2.0.1.aarch64
src:
libpq-14.23-1.amzn2.0.1.src
x86_64:
libpq-14.23-1.amzn2.0.1.x86_64
libpq-devel-14.23-1.amzn2.0.1.x86_64
libpq-debuginfo-14.23-1.amzn2.0.1.x86_64