| Package | postgresql-9.6 |
|---|---|
| Version | 9.6.24-0+deb9u12 (stretch) |
The fix for CVE-2026-2006 introduced a regression in SUBSTRING() for toasted multibyte characters, as discussed in the upstream bug:
https://www.postgresql.org/message-id/19406-9867fddddd724fca@postgresql.org
Also a number of minor upstream fixes for the patches added in 9.6.24-0+deb9u11 where added:
- pg_mblen_range, pg_mblen_with_len: Valgrind after encoding ereport.
- Suppress new “may be used uninitialized” warning.
- Fix test_valid_server_encoding helper function.
- pgcrypto: Tweak error message for incorrect session key length.
For Debian 9 stretch, these problems have been fixed in version 9.6.24-0+deb9u12.
We recommend that you upgrade your postgresql-9.6 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.