{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"libpq security update", "category":"general", "title":"Synopsis" }, { "text":"An update for libpq is now available for openEuler-22.03-LTS-SP3", "category":"general", "title":"Summary" }, { "text":"PostgreSQL is a powerful, open source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. This package provides the essential shared library for any PostgreSQL client program or interface.\n\nSecurity Fix(es):\n\nMissing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.(CVE-2025-12817)\n\nInteger wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.(CVE-2025-12818)", "category":"general", "title":"Description" }, { "text":"An update for libpq is now available for openEuler-22.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"libpq", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-2727", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2727" }, { "summary":"CVE-2025-12817", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-12817&packageName=libpq" }, { "summary":"CVE-2025-12818", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-12818&packageName=libpq" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12817" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12818" }, { "summary":"openEuler-SA-2025-2727 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openEuler-SA-2025-2727.json" } ], "title":"An update for libpq is now available for openEuler-22.03-LTS-SP3", "tracking":{ "initial_release_date":"2025-11-24T15:39:09+08:00", "revision_history":[ { "date":"2025-11-24T15:39:09+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-11-24T15:39:09+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-11-24T15:39:09+08:00", "id":"openEuler-SA-2025-2727", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"openEuler-22.03-LTS-SP3", "name":"openEuler-22.03-LTS-SP3" }, "name":"openEuler-22.03-LTS-SP3", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"libpq-13.23-1.oe2203sp3.aarch64.rpm", "name":"libpq-13.23-1.oe2203sp3.aarch64.rpm" }, "name":"libpq-13.23-1.oe2203sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"libpq-debuginfo-13.23-1.oe2203sp3.aarch64.rpm", "name":"libpq-debuginfo-13.23-1.oe2203sp3.aarch64.rpm" }, "name":"libpq-debuginfo-13.23-1.oe2203sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"libpq-debugsource-13.23-1.oe2203sp3.aarch64.rpm", "name":"libpq-debugsource-13.23-1.oe2203sp3.aarch64.rpm" }, "name":"libpq-debugsource-13.23-1.oe2203sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"libpq-devel-13.23-1.oe2203sp3.aarch64.rpm", "name":"libpq-devel-13.23-1.oe2203sp3.aarch64.rpm" }, "name":"libpq-devel-13.23-1.oe2203sp3.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"libpq-13.23-1.oe2203sp3.src.rpm", "name":"libpq-13.23-1.oe2203sp3.src.rpm" }, "name":"libpq-13.23-1.oe2203sp3.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"libpq-13.23-1.oe2203sp3.x86_64.rpm", "name":"libpq-13.23-1.oe2203sp3.x86_64.rpm" }, "name":"libpq-13.23-1.oe2203sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"libpq-debuginfo-13.23-1.oe2203sp3.x86_64.rpm", "name":"libpq-debuginfo-13.23-1.oe2203sp3.x86_64.rpm" }, "name":"libpq-debuginfo-13.23-1.oe2203sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"libpq-debugsource-13.23-1.oe2203sp3.x86_64.rpm", "name":"libpq-debugsource-13.23-1.oe2203sp3.x86_64.rpm" }, "name":"libpq-debugsource-13.23-1.oe2203sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"libpq-devel-13.23-1.oe2203sp3.x86_64.rpm", "name":"libpq-devel-13.23-1.oe2203sp3.x86_64.rpm" }, "name":"libpq-devel-13.23-1.oe2203sp3.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"libpq-13.23-1.oe2203sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.aarch64", "name":"libpq-13.23-1.oe2203sp3.aarch64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"libpq-debuginfo-13.23-1.oe2203sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.aarch64", "name":"libpq-debuginfo-13.23-1.oe2203sp3.aarch64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"libpq-debugsource-13.23-1.oe2203sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.aarch64", "name":"libpq-debugsource-13.23-1.oe2203sp3.aarch64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"libpq-devel-13.23-1.oe2203sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.aarch64", "name":"libpq-devel-13.23-1.oe2203sp3.aarch64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"libpq-13.23-1.oe2203sp3.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.src", "name":"libpq-13.23-1.oe2203sp3.src as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"libpq-13.23-1.oe2203sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.x86_64", "name":"libpq-13.23-1.oe2203sp3.x86_64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"libpq-debuginfo-13.23-1.oe2203sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.x86_64", "name":"libpq-debuginfo-13.23-1.oe2203sp3.x86_64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"libpq-debugsource-13.23-1.oe2203sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.x86_64", "name":"libpq-debugsource-13.23-1.oe2203sp3.x86_64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"libpq-devel-13.23-1.oe2203sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.x86_64", "name":"libpq-devel-13.23-1.oe2203sp3.x86_64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-12817", "notes":[ { "text":"Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.src", "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.src", "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.x86_64" ], "details":"libpq security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2727" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"LOW", "baseScore":3.1, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.src", "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.x86_64" ] } ], "threats":[ { "details":"Low", "category":"impact" } ], "title":"CVE-2025-12817" }, { "cve":"CVE-2025-12818", "notes":[ { "text":"Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.src", "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.src", "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.x86_64" ], "details":"libpq security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2727" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.9, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.src", "openEuler-22.03-LTS-SP3:libpq-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-debuginfo-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-debugsource-13.23-1.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:libpq-devel-13.23-1.oe2203sp3.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-12818" } ] }