| Package | postgresql-11 |
|---|---|
| Version | 11.22-0+deb10u8 (buster) |
The fix for CVE-2026-2006 introduced a regression in SUBSTRING() for toasted multibyte characters, as discussed in the upstream bug:
https://www.postgresql.org/message-id/19406-9867fddddd724fca@postgresql.org
Also a number of minor upstream fixes for the patches added in 11.22-0+deb10u7 where added:
- pg_mblen_range, pg_mblen_with_len: Valgrind after encoding ereport.
- Suppress new “may be used uninitialized” warning.
- Fix test_valid_server_encoding helper function.
- pgcrypto: Tweak error message for incorrect session key length.
For Debian 10 buster, these problems have been fixed in version 11.22-0+deb10u8.
We recommend that you upgrade your postgresql-11 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.