If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.
Log inAES-256-GCM-SIV AEAD format that carries the account name for proxy routing.550 Mailbox not found.FileNode/get returns a stale state string.SieveSystemInterpreter.defaultReturnPath and MtaQueueQuota.match optional expressions.dns-update-v0.5.1.
The Asterisk Development Team would like to announce
release candidate 1 of asterisk-23.4.0.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.4.0-rc1
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 23.4.0-rc1
This release resolves issues reported by the community
and would have not been possible without your participation.
Thank You!
The Asterisk Development Team would like to announce
release candidate 1 of asterisk-22.10.0.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.10.0-rc1
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 22.10.0-rc1
This release resolves issues reported by the community
and would have not been possible without your participation.
Thank You!
The Asterisk Development Team would like to announce
release candidate 1 of asterisk-20.20.0.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.20.0-rc1
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 20.20.0-rc1
This release resolves issues reported by the community
and would have not been possible without your participation.
Thank You!
The PostgreSQL Global Development Group announces that the first beta release of PostgreSQL 19 is now available for download. This release contains PostgreSQL 19 feature previews ahead of general availability, though some details of the release can change during the beta period.
You can find information about all of the PostgreSQL 19 features and changes in the release notes:
https://www.postgresql.org/docs/19/release-19.html
In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 19 on your systems to help us eliminate bugs and other issues. While we do not advise you to run beta versions in production environments, we encourage you to find ways to run your typical application workloads against this beta release.
Your testing and feedback help the community ensure that PostgreSQL 19 upholds our standards of delivering a stable, reliable release of the world's most advanced open source relational database. Please read more about our beta testing process and how you can contribute:
https://www.postgresql.org/developer/beta/
Below are some of the feature highlights that are planned for PostgreSQL 19. This list is not exhaustive; for the full list of planned features, please see the release notes.
PostgreSQL 19 builds on the asynchronous I/O subsystem introduced in
PostgreSQL 18. In this release, io_method=worker now automatically scales the
number of I/O workers based on the new
io_min_workers
and
io_max_workers
settings.
This release also introduces the
pg_plan_advice
extension, which lets users stabilize and control planner decisions, along with
pg_stash_advice
to apply advice automatically using query identifiers.
This release brings improvements to vacuum and maintenance operations.
Autovacuum can now use parallel workers, which can be configured with the new
autovacuum_max_parallel_workers
setting, and a new autovacuum scoring system
helps prioritize tables to vacuum. PostgreSQL 19 further enhances vacuum with
a new strategy that can automatically reduce future vacuuming work by marking
pages as visible while they're being queried. Additionally, this release
adds the new REPACK
command and its nonblocking CONCURRENTLY
option, which allow tables to be rebuilt with less operational overhead.
PostgreSQL 19 shows up to 2x better performance on inserts when foreign key
checks are present. Additionally, this release improves several areas of
the query planner and executor, including new anti-join optimizations, broader
use of incremental sorts,
eager aggregation
that speeds up row processing,
faster reads from storage during parallel sequential scans, and
simplification of IS DISTINCT FROM
and IS NOT DISTINCT FROM to plain
<> and = operators when the inputs are not nullable. There are also
improvements for
LISTEN/NOTIFY
scalability that impact multi-channel workloads.
PostgreSQL 19 introduces support for
SQL/PGQ,
letting users execute property graph queries using SQL standard syntax. This
release also expands temporal query capabilities with UPDATE and DELETE
support for the
FOR PORTION OF
clause, complementing the temporal constraint support added in
PostgreSQL 18. This release also adds
ALTER TABLE ... MERGE PARTITIONS
and ALTER TABLE ... SPLIT PARTITIONS to make it easier to reorganize
partitioned tables in place. There is now also support for returning rows that
conflict during an upsert operation using
INSERT ... ON CONFLICT DO SELECT ... RETURNING.
PostgreSQL 19 introduces the new
GROUP BY ALL
syntax, making it easy to add
all non-aggregate and non-window output columns as part of the grouping. This
release extends string processing capabilities in
jsonpath
with the addition of
lower(), upper(), initcap(), replace(), split_part(), and the trim()
family of functions.
PostgreSQL 19 makes it easier to adopt "read-your-writes" query patterns
when working with replicas using the new
WAIT FOR LSN
command. This lets a
session wait until changes up to a specific log position (LSN) have been
replayed on the replica before executing a SELECT query.
PostgreSQL 19 also adds new SQL functions to retrieve the
DDL statements
needed to recreate roles, tablespaces, and databases, simplifying
scripting and migration tasks. Additionally, the
random()
function now works
with date and timestamp types, and
PL/Python
now supports event triggers.
PostgreSQL 19 adds server-side support for Server Name Indication (SNI) through
a new
pg_hosts.conf
file, allowing a single PostgreSQL server to present
different TLS certificates based on the hostname requested by the client. There
is also a new
password_expiration_warning_threshold
setting (defaulting to 7 days) to warn users in advance of upcoming password
expirations.
Further to the ongoing deprecation efforts of
md5 authentication,
this release
issues a warning to the client after a successful md5 authentication. This is
controllable via the new
md5_password_warnings
setting.
PostgreSQL 19 introduces the
pg_stat_lock
view, which reports per-lock-type
statistics, and
pg_stat_recovery
which provides detailed visibility into the
state of recovery operations. A stats_reset column is now available across
many statistics views to show when counters were last cleared. The
pg_stat_progress_vacuum
and
pg_stat_progress_analyze
views now include a
started_by column that reports the initiator of the operation, and
pg_stat_progress_vacuum also has a mode column that reports how vacuum
is operating.
This release also allows
log_min_messages
levels to be specified per process
type, giving operators finer control over what each part of the system logs.
Additionally, WAL full page write byte counts are now reported in
VACUUM and
ANALYZE log output,
helping identify maintenance operations that generate large amounts of WAL.
Additionally, EXPLAIN ANALYZE
now supports surfacing asynchronous I/O (AIO) statistics through its IO option,
providing better visibility into how queries are using the AIO subsystem.
In PostgreSQL 19, logical replication now replicates sequence values,
simplifying tasks like online upgrades. Additionally, the new
CREATE PUBLICATION ... EXCEPT
syntax allows you to publish all tables in
a database except for a specified set, while
CREATE SUBSCRIPTION ... SERVER
allows subscriptions to be defined using a foreign server, simplifying
credential management.
PostgreSQL 19 makes it possible to enable logical replication without restarting
a server. Logical replication can now be enabled on demand even when
wal_level
is set to replica, and the new read-only
effective_wal_level
parameter reports the WAL level currently in effect. This reduces the need to
commit upfront to a higher WAL level for clusters that may only occasionally
need it, and avoids disrupting an active workload.
The PostgreSQL foreign data wrapper,
postgres_fdw,
used for query federation, includes several performance improvements, including
pushing down array operations to the remote server, and retrieving and using
statistics from foreign tables to support better local query planning.
The PostgreSQL 19 beta period includes a temporary "grease mode" to try to find protocol compatibility problems in the wider ecosystem. This wiki page contains information on how the campaign works:
https://wiki.postgresql.org/wiki/Grease
PostgreSQL 19 allows data checksums to be enabled or disabled online, without requiring a cluster restart or reinitialization.
There are several notable changes to be aware of in
PostgreSQL 19.
Just-in-time compilation (JIT)
is now disabled by default,
and the
default_toast_compression
setting now defaults to lz4,
providing better default compression and decompression performance. Support for
RADIUS authentication is now removed. Additionally, the
vacuumdb --analyze-only
command by default analyzes partitioned tables.
Many other new features and improvements have been added to PostgreSQL 19. Many of these may also be helpful for your use cases. Please see the release notes for a complete list of new and changed features:
https://www.postgresql.org/docs/19/release-19.html
The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools to find bugs and regressions before the general availability of PostgreSQL 19. As this is a Beta, minor changes to database behaviors, feature details, and APIs are still possible. Your feedback and testing will help determine the final tweaks on the new features, so please test in the near future. The quality of user testing helps determine when we can make a final release.
A list of open issues is publicly available in the PostgreSQL wiki. You can report bugs using this form on the PostgreSQL website:
https://www.postgresql.org/account/submitbug/
This is the first beta release of version 19. The PostgreSQL Project will release additional betas as required for testing, followed by one or more release candidates, until the final release around September/October 2026. For further information please see the Beta Testing page.
Full Changelog: v4.1.1...v4.1.2
Media-over-QUIC
RTMP
HLS
General
RTSP
RTMP
HLS
WebRTC
RPI Camera
Dependencies
Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.
Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:
ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx
You can verify checksums of binaries by downloading checksums.sha256 and running:
cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check
If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.
spamtest in trusted Sieve scripts.TXT records when updating RRSet.Keep-Alive is enabled.
VIENNA, Austria β May 28, 2026 β Enterprise software developer Proxmox Server Solutions GmbH today announced the availability of a new point release for Proxmox Datacenter Manager. The centralized management platform designed to overseeΒ distributed Proxmox infrastructures introduces new enhancements including an automated installation workflow, comprehensive subscription handling, unified Ceph cluster monitoring, and expanded central guest and snapshot management.
Integrated automated installation workflows
Proxmox Datacenter Manager 1.1 now acts as a central configuration server for provisioning. The integration of automated installation functionality standardizes the deployment of hosts across distributed infrastructures. Administrators can centrally manage answer file configurations containing predefined installation parameters and provide them for unattended installations of new hosts. A new βAutomated Installationsβ tab in the βRemotesβ section provides access to these workflows, while installation progress can be tracked directly from within the Proxmox Datacenter Manager web interface. A token-based security mechanism protects the installation process and helps ensure that prepared configurations are accessed only by authorized installations.
Centralized management of subscription keys
For large-scale deployments, managing subscriptions across multiple sites can be complex. A new subscription registry in Proxmox Datacenter Manager enables administrators to manage a central pool of subscription keys, assign them to specific remotes, and remove assignments when no longer needed. A prepared answer file can also include a specific subscription key, allowing a newly provisioned host to register its subscription automatically during installation.
Unified Ceph cluster monitoring
For organizations utilizing hyper-converged infrastructure (HCI) powered by Proxmox VE, tracking storage health across distributed sites is vital. Proxmox Datacenter Manager 1.1 delivers deep, unified visibility across these distributed storage environments by introducing native monitoring for all connected Ceph clusters. A single, consolidated panel allows administrators to verify the health, capacity, and real-time performance of multiple Ceph clusters at a glance. The dashboard provides comprehensive, granular insights into the status of Object Storage Daemons (OSDs), monitors, managers, Metadata Servers (MDS), storage pools, CephFS, and specific cluster flags.
Enhanced infrastructure visualization
New dashboard widgets provide administrators with an overview of their distributed Proxmox infrastructures:
Central guest and snapshot management
Proxmox Datacenter Manager 1.1 marks the initial milestone toward comprehensive, central guest management. A new cross-remote view expands guest management by displaying all QEMU virtual machines and LXC containers across connected remotes. Administrators can display these guests in a sortable table or in a tree grouped by remote, use text filtering to quickly locate individual guests, and access frequently used actions from a unified overview.
The same interface now also provides snapshot management for these guest environments. Administrators can view snapshots in a parent-child tree and create, roll back, delete, or edit snapshot descriptions. In addition, a new βResumeβ action for paused or suspended QEMU virtual machines complements the existing start, stop, and shutdown operations. As this represents the initial phase of centralized guest orchestration, users can expect additional day-to-day management tasks to be integrated in upcoming point releases.
Updated technology stack
Proxmox Datacenter Manager 1.1 is based on Debian 13.5 βTrixieβ and features Linux kernel 7.0 as the new stable default. Along with ZFS 2.4, this release provides an up-to-date open-source software stack for modern centralized infrastructure management and day-to-day lifecycle operations.
Proxmox Datacenter Manager 1.1 is open-source software and immediately available for download at the official website. Users can obtain a complete installation image via ISO download, which contains the full feature set of the solution and can be installed quickly on bare-metal systems using an intuitive installation wizard.
Seamless distribution upgrades from older versions of Proxmox Datacenter Manager are possible using the standard APT package management system. Furthermore, it is also possible to install the platform on top of an existing Debian installation. As Free/Libre and Open Source Software (FLOSS), the entire solution is published under the GNU AGPLv3.
For enterprise environments, customers with active Enterprise support plans for their managed Proxmox Virtual Environment and Proxmox Backup Server remotes also gain access to Proxmox Datacenter Manager updates and support. No separate subscription key is required.
Resources:
###
About Proxmox Datacenter Manager
Proxmox Datacenter Manager is a centralized open-source management layer for distributed, large-scale Proxmox infrastructures. As a core building block of the expanding Proxmox ecosystem, it unifies independent Proxmox Virtual Environment clusters and Proxmox Backup Server instances across multiple sites and data centers into a single control plane. The web interface provides consolidated dashboards for real-time health, performance, and capacity tracking of nodes, virtual machines, containers, and storage. IT teams can centrally manage guest lifecycles, perform migrations, and execute global updates across connected remotes. Developed by Proxmox Server Solutions GmbH, the software is written in Rust, based on Debian, and released under the GNU AGPLv3.
About Proxmox Server Solutions
Proxmox Server Solutions provides powerful, intuitive open-source server software that guarantees vendor independence and minimizes total cost of ownership. Enterprises of all sizes rely on the companyβs reliable vendor support, certified training services, and a global network of 3,000 integration partners to ensure business continuity. Established in 2005 and headquartered in Vienna, Austria, tens of thousands of corporate customers worldwide trust Proxmox solutions to secure mission-critical IT environments. To learn more visit https://www.proxmox.com or follow us on LinkedIn and YouTube.
Media contact
Daniela HΓ€sler, Proxmox Server Solutions GmbH, marketing@proxmox.comΒ
Full Changelog: v4.1.0...v4.1.1
nginx-1.30.2 stable and nginx-1.31.1 mainline versions have been released, with a fix for buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-9256).
VIENNA, Austria β May 21, 2026 β Proxmox Server Solutions GmbH today announced the immediate availability of Proxmox Virtual Environment 9.2, the latest version of its integrated open-source platform for enterprise virtualization. This major update introduces a dynamic load balancer, expanded software-defined networking (SDN) capabilities, and granular management of custom CPU models. By improving resource utilization through dynamic workload balancing and simplifying complex cluster maintenance workflows, Proxmox VE 9.2 enables organizations to scale their infrastructure with higher efficiency and significantly reduced operational complexity.
Dynamic Load Balancer
A highlight of version 9.2 is the introduction of the Dynamic Load Balancer, which utilizes an intelligent decision-making framework to optimize guest placement for maximum cluster balance and reliability. Operating in a new dynamic mode, the cluster resource scheduler (CRS) incorporates real-time node and guest resource utilization into every placement decision. The integrated load balancer can automatically migrate guests managed by the High Availability (HA) stack to reduce the imbalance across the cluster nodes while strictly respecting all user-defined HA rules. Administrators maintain granular control through configurable options that define the behavior and sensitivity of the load Balancer through various parameters, providing organizations with superior oversight of resource utilization in highly available environments.
Expanded software-defined networking (SDN)
This release significantly improves its SDN stack to support modern network architectures.
Further additions include route redistribution for OSPF fabrics, additional options for configuring EVPN controllers, and IPv6 underlay support for EVPN.
Custom CPU model management
To provide greater flexibility for specialized workloads, Proxmox VE 9.2 introduces a dedicated management interface for custom CPU models. Administrators can now create, edit, and remove custom CPU profiles directly in the web interface under the βDatacenterβ section. This makes it easier to tailor the virtual CPU features exposed to VMs, ensuring optimal workload performance. Additionally, the integrated CPU flags selector provides instant visibility into supported flags across all cluster nodes, helping administrators identify potential cluster-wide compatibility issues during the configuration phase.
Confident maintenance with HA Arm/Disarm
Addressing common administrative challenges during maintenance windows, Proxmox VE 9.2 introduces the ability to "disarm" and "arm" the HA Manager cluster-wide. Administrators can temporarily suspend the HA stack during planned cluster maintenance to prevent unwanted actions, such as fencing nodes. HA resource states are preserved during these disarm and arm cycles, ensuring HA resources return to their previous state and node placement automatically once maintenance is completed.
Updated technology stack
Proxmox Virtual Environment 9.2 is based on Debian 13.5 "Trixie" and features Linux kernel 7.0 as the new stable default. Along with the latest versions of QEMU 11.0, LXC 7.0, and ZFS 2.4, this release offers a high-performance open-source architecture for modern infrastructure.
As a complete data center ecosystem engineered for high-density virtualization and disaster recovery, version 9.2 provides businesses with a seamless management environment for compute, storage, and backup. This includes updated support for the storage layer, with Ceph Tentacle 20.2. now available as a stable option alongside Ceph Squid 19.2.
Proxmox Virtual Environment 9.2 is open-source software and immediately available for download at the official website. Users can obtain a complete installation image via ISO download, which contains the full feature set of the solution and can be installed quickly on bare-metal systems using an intuitive installation wizard.
Seamless distribution upgrades from older versions of Proxmox Virtual Environment are possible using the standard APT package management system. Furthermore, it is also possible to install Proxmox Virtual Environment on top of an existing Debian installation.
For enterprise environments, Proxmox offers comprehensive support plans that provide direct access to expert support services and stable and secure updates. These support contracts offer a cost-effective way to secure enterprise-grade stability, with pricing starting at EUR 120 per year and CPU.Β
Resources:
About Proxmox Virtual Environment
Powering over 2 million hosts globally, Proxmox Virtual Environment is a complete open-source platform for enterprise virtualization and hyper-converged infrastructure. It natively unifies KVM virtualization, LXC containers, software-defined storage, and networking on a single platform. Alongside its dedicated Backup Server and Datacenter Manager, the Proxmox ecosystem eliminates multi-site complexity as well as dependency on proprietary stacks. Backed by a global community of over 225,000 members, the platform serves as a scalable, cost-effective foundation for modern data centers.
About Proxmox Server Solutions
Proxmox Server Solutions provides powerful, intuitive open-source server software that guarantees vendor independence and minimizes total cost of ownership. Enterprises of all sizes rely on the companyβs reliable vendor support, certified training services, and a global network of 3,000 integration partners to ensure business continuity. Established in 2005 and headquartered in Vienna, Austria, tens of thousands of corporate customers worldwide trust Proxmox solutions to secure their mission-critical IT environments. To learn more visit https://www.proxmox.com or follow us on LinkedIn and YouTube.
Contact:Β Daniela HΓ€sler, Proxmox Server Solutions GmbH,Β marketing@proxmox.com
If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.
orcpt.$ or { prefixes as secure secrets.acl-principal-prop-set REPORT enforced the wrong privilege.Thread/get did not filter by per-mailbox ACLs on shared accounts.UID FETCH N:* could miss messages moved into a SELECTed mailbox by another connection.v=spf1 a -all records for apex domains.TXT records when they exceed 255 characters.defaultCertificateId when renewing a certificate that is currently set as default.DNS-01 authorizations sequentially to avoid race conditions in some DNS providers.replace action adds an extra From header.
njs-0.9.9 version has been released, with a fix for heap buffer overflow vulnerability in js_fetch_proxy (CVE-2026-8711), featuring js_access, r.readRequestText() and friends, r.readRequestForm(), and jsVarNames().
[skip ci] or [skip cd] (#9861).git_commit_sha when no commit is explicitly provided (#9865, closes #9204)..dmp files (#9869).next and disabled the stale LiteQueen template (#9884, #10006).follow-redirects in the realtime Docker package to 1.16.0 (#9690).phpseclib/phpseclib to 3.0.52 (#9952).POST /api/v1/services instead.Full Changelog: v4.0.0...v4.1.0
[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.11.3.html]
Fixed in Postfix 3.8-3.11:
Bitrot: builds with musl libc broke, because they were using an obsolete NO_SNPRINTF code path that had not been updated for Claude Code findings.
Two fixes for a signed integer overshift condition (a left shift into the sign bit). This "works" on contemporary CPUs, but may break in the future. One reported by Kamil Frankowicz, and one by Robert Sayre.
Viktor Dukhovni fixed an 'uninitialized value' error in the 'collate.pl' script.
Fixed in Postfix 3.11:
You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.
RTSP
RTMP
HLS
WebRTC
RPI Camera
Dependencies
Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.
Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:
ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx
You can verify checksums of binaries by downloading checksums.sha256 and running:
cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check
The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 18.4, 17.10, 16.14, 15.18, and 14.23. This release fixes 11 security vulnerabilities and over 60 bugs reported over the last several months.
For the full list of changes, please review the release notes.
PostgreSQL 14 will stop receiving fixes on November 12, 2026. If you are running PostgreSQL 14 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.
CREATE TYPE does not check multirange schema CREATE privilegeCVSS v3.1 Base Score: 5.4
Supported, Vulnerable Versions: 14 - 18.
Missing authorization in PostgreSQL CREATE TYPE allows an object creator to
hijack other queries that use search_path to find user-defined types,
including extension-defined types. That is to say, the victim will execute
arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL
18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.
CVSS v3.1 Base Score: 8.8
Supported, Vulnerable Versions: 14 - 18.
Integer wraparound in multiple PostgreSQL server features allows an application input provider to cause the server to undersize an allocation and write out-of-bounds. This results in a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
The PostgreSQL project thanks Anemone, A1ex, Xint Code, Jihe Wang, Jingzhou Fu, Pavel Kohout, Petr Simecek, www.aisle.com, Bruce Dang of Calif.io, and Sven Klemm for reporting this problem.
timeofday() can disclose portions of server memoryCVSS v3.1 Base Score: 4.3
Supported, Vulnerable Versions: 14 - 18.
Externally-controlled format string in PostgreSQL timeofday() function allows
an attacker to retrieve portions of server memory, via crafted timezone zones.
Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
The PostgreSQL project thanks Xint Code for reporting this problem.
pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choiceCVSS v3.1 Base Score: 8.8
Supported, Vulnerable Versions: 14 - 18.
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind
allows an origin superuser to overwrite local files, e.g.
/var/lib/postgres/.bashrc, that hijack the operating system account. It will
remain the case that starting the server after these commands implicitly trusts
the origin superuser, due to features like shared_preload_libraries. Hence, the
attack has practical implications only if one takes relevant action between
these commands and server start, like moving the files to a different VM or
snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and
14.23 are affected.
The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem.
pg_createsubscriber allows SQL injection via subscription nameCVSS v3.1 Base Score: 7.2
Supported, Vulnerable Versions: 17 - 18.
SQL injection in PostgreSQL pg_createsubscriber allows an attacker with
pg_create_subscription rights to execute arbitrary SQL as a superuser. The
attack takes effect when pg_createsubscriber next runs. Within major versions
17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected.
Versions before PostgreSQL 17 are unaffected.
The PostgreSQL project thanks Yu Kunpeng for reporting this problem.
libpq lo_* functions let server superuser overwrite client stack memoryCVSS v3.1 Base Score: 8.8
Supported, Vulnerable Versions: 14 - 18.
Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in
PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64()
functions allows the server superuser to overwrite a client stack buffer with an
arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...)
stores arbitrary-length, server-determined data into a buffer of unspecified
size. Because both the \lo_export command in psql and pg_dump call
lo_read(), the server superuser can overwrite pg_dump or psql stack memory.
Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem.
CVSS v3.1 Base Score: 6.5
Supported, Vulnerable Versions: 14 - 18.
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
The PostgreSQL project thanks Joe Conway for reporting this problem.
CVSS v3.1 Base Score: 7.5
Supported, Vulnerable Versions: 14 - 18.
Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
The PostgreSQL project thanks Calif.io in collaboration with Claude and Anthropic Research for reporting this problem.
pg_restore_attribute_stats accepts values that cause query planning to read past end of stats arrayCVSS v3.1 Base Score: 4.3
Supported, Vulnerable Versions: 18.
Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts
array values of unmatched length, which causes query planning to read past end
of one array. This allows a table maintainer to infer memory values past that
array end. Within major version 18, minor versions before PostgreSQL 18.4 are
affected. Versions before PostgreSQL 18 are unaffected.
The PostgreSQL project thanks Jeroen Gui for reporting this problem.
refint allows stack buffer overflow and SQL injectionCVSS v3.1 Base Score: 8.8
Supported, Vulnerable Versions: 14 - 18.
Stack buffer overflow in PostgreSQL module refint allows an unprivileged
database user to execute arbitrary code as the operating system user running the
database. A distinct attack is possible if the application declares a
user-controlled column as a refint cascade primary key and facilitates
user-controlled updates to that column. In that case, a SQL injection allows a
primary key update value provider to execute arbitrary SQL as the database user
performing the primary key update. Versions before PostgreSQL 18.4, 17.10,
16.14, 15.18, and 14.23 are affected.
The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem.
REFRESH PUBLICATION allows SQL injection via table nameCVSS v3.1 Base Score: 3.7
Supported, Vulnerable Versions: 16 - 18.
SQL injection in PostgreSQL logical replication
ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator
to execute arbitrary SQL with the subscription's publication-side credentials.
The attack takes effect at the next REFRESH PUBLICATION. Within major versions
16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are
affected. Versions before PostgreSQL 16 are unaffected.
The PostgreSQL project thanks Pavel Kohout, Aisle Research for reporting this problem.
This update fixes over 60 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.
DEFERRABLE INITIALLY DEFERRED would behave as NOT DEFERRABLE
after being set to NOT ENFORCED status and then back to ENFORCED. If you
have a foreign key with this problem, after installing this update you can fix
it by setting it to NOT ENFORCED and then back to ENFORCED.ON t1.boolcol.INSERT ... ON CONFLICT works when EXCLUDED references a virtual
generated column.MERGE encounters a concurrently-updated
tuple in "repeatable read" or "serializable"
isolation modes.CREATE TABLE ... LIKE ... INCLUDING STATISTICS for cases where the
source table had one or more dropped columns.WITHOUT OVERLAPS to allow domains.multirange.array_agg(anyarray) executes in
parallel.pg_aios system view pid column show NULL instead of 0 when an
entry has no owning process.pg_stat_replication shows NULL lag even while replication
is active.GROUP BY.pg_basebackup and pg_verifybackup.pg_dumpall doesn't skip role grants with dangling grantor OIDs,
restoring the behavior before PostgreSQL 16. Emits a warning about missing
grantor if the source server is PostgreSQL 16 or later.pg_upgrade to use the correct protocol version when connecting to older
source servers.pg_overexplain when using the RANGE_TABLE option.postgres_fdw crash due to premature cleanup of a failed connection.This release also updates time zone data files to tzdata release 2026b, in which British Columbia (America/Vancouver) will be on year-round UTC-07 (effectively, permanent DST) beginning in November 2026. This release assumes that their TZ abbreviation will be MST from that time forward (though this could change). There is also a historical correction for Moldova, which has used EU DST transition times since 2022.
All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use pg_upgrade
in order to apply this update release; you may simply stop PostgreSQL and
update its binaries.
Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.
For more details, please see the release notes.
If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.
nginx-1.30.1 stable and nginx-1.31.0 mainline versions have been released, with fixes for HTTP/2 request injection vulnerability in the ngx_http_proxy_module (CVE-2026-42926), buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-42945), buffer overread vulnerabilities in the ngx_http_scgi_module and ngx_http_uwsgi_module (CVE-2026-42946), buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-42934), address spoofing vulnerability in HTTP/3 (CVE-2026-40460), and use-after-free vulnerability in OCSP requests to resolver (CVE-2026-40701). Additionally, nginx-1.31.0 mainline version features support for HTTP forward proxy.
You can install pre-built binaries from https://repo.dovecot.org/
Docker images can be found at https://hub.docker.com/r/dovecot/dovecot
Please review https://doc.dovecot.org/2.4.4/installation/upgrade/2.3-to-2.4.html and https://doc.dovecot.org/2.4.4/installation/installation.html.
There are experimental features in 2.4, one is enabled with --enable-experimental-mail-utf8, and another with --enable-experimental-imap4rev2, and you also need to set mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in config.
If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.
is_ip_in_cidr expression function for CIDR matching.mail-auth to 0.9 (which bumps hickory-resolver to 0.26).hickory.null values fails.Failed instead of Error when the query returns no results.EAFNOSUPPORT error..well-known endpoints.RCPT before rewriting.dns-update crate):
MX and SRV records.subname for apex records instead of @, which the API rejects.TXT record content in double quotes (RFC 1035) to suppress dashboard warnings.calcard crate):
STATUS:CANCELLED mapping from VTODO to JSCalendar.PT0S.
