PostgreSQL is an advanced object-relational database management system
that supports an extended subset of the SQL standard, including
transactions, foreign keys, sub-queries, triggers, and user-defined
types and functions.
This package includes the programs needed to create and run a
PostgreSQL server, which will in turn allow you to create and maintain
PostgreSQL databases.
Provides
Requires
License
PostgreSQL
Changelog
* Tue Dec 09 2025 guillaume.gardet@opensuse.org
- Fix build on aarch64 with upstream commit 0dceba2:
* llvm-21-aarch64.patch
* Mon Nov 24 2025 max@suse.com
- Fix build with uring for post SLE15 code streams.
* Fri Nov 14 2025 max@suse.com
- Use %product_libs_llvm_ver to determine the LLVM version.
- Remove conditionals for obsolete PostgreSQL releases.
* Wed Nov 12 2025 max@suse.com
- Update to 18.1:
* https://www.postgresql.org/about/news/p-3171/
* https://www.postgresql.org/docs/release/18.1/
* bsc#1253332, CVE-2025-12817: Missing check for CREATE
privileges on the schema in CREATE STATISTICS allowed table
owners to create statistics in any schema, potentially leading
to unexpected naming conflicts.
* bsc#1253333, CVE-2025-12818: Several places in libpq were not
sufficiently careful about computing the required size of a
memory allocation. Sufficiently large inputs could cause
integer overflow, resulting in an undersized buffer, which
would then lead to writing past the end of the buffer.
* Thu Sep 25 2025 mrueckert@suse.de
- pg_config --libs returns -lnuma so we need to require it.
* Tue Sep 23 2025 max@suse.com
- Update to 18.0.
* https://www.postgresql.org/about/news/p-3142/
* https://www.postgresql.org/docs/18/release-18.html
* Thu Sep 04 2025 max@suse.com
- Update to 18 RC1.
* https://www.postgresql.org/about/news/p-3130/
* Tue Aug 19 2025 mrueckert@suse.de
- move libpq-oauth into the libpq5 package. it is a plugin that
will be loaded via dlopen() if libpq encounters an oauth workflow
during a connection.
* Mon Aug 18 2025 mrueckert@suse.de
- In the symlinking loop for *.so files only handle symlinks and
not also files.
This allows us to enable oauth support
* Mon Aug 18 2025 mrueckert@suse.de
- enable liburing and libnuma support
- prepare oauth support. but it creates broken symlinks at the
moment
* Thu Aug 14 2025 mrueckert@suse.de
- Update to 18~beta3
* https://www.postgresql.org/about/news/p-3118/
Security Issues
* CVE-2025-8713: PostgreSQL optimizer statistics can expose
sampled data within a view, partition, or child table
(boo#1248120)
* CVE-2025-8714: PostgreSQL pg_dump lets superuser of origin
server execute arbitrary code in psql client (boo#1248122)
* CVE-2025-8715: PostgreSQL pg_dump newline in object name
executes arbitrary code in psql client and in restore target
server (boo#1248119)
* Wed Jul 23 2025 mrueckert@suse.de
- Update to 18~beta2
https://www.postgresql.org/about/news/p-3103/
* Fri May 09 2025 mrueckert@suse.de
- Fork package for postgresql 18
https://www.postgresql.org/about/news/p-3070/
* Fri May 09 2025 max@suse.com
- Upgrade to 17.5:
* bsc#1242931, CVE-2025-4207: postgresql: PostgreSQL GB18030
encoding validation can read one byte past end of allocation
for text that fails validation.
* https://www.postgresql.org/docs/release/17.5/
* https://www.postgresql.org/about/news/p-3072/
- Add postresql-pg_config_paths.patch to Fix a race condition
while generating pg_config_paths.h.
* Tue Feb 18 2025 max@suse.com
- Upgrade to 17.4:
* Improve behavior of libpq's quoting functions:
The changes made for CVE-2025-1094 had one serious oversight:
PQescapeLiteral() and PQescapeIdentifier() failed to honor
their string length parameter, instead always reading to the
input string's trailing null. This resulted in including
unwanted text in the output, if the caller intended to
truncate the string via the length parameter. With very bad
luck it could cause a crash due to reading off the end of
memory.
In addition, modify all these quoting functions so that when
invalid encoding is detected, an invalid sequence is
substituted for just the first byte of the presumed
character, not all of it. This reduces the risk of problems
if a calling application performs additional processing on
the quoted string.
* Fix small memory leak in pg_createsubscriber.
* https://www.postgresql.org/docs/release/17.4/
* https://www.postgresql.org/about/news/p-3018/
* Tue Feb 11 2025 max@suse.com
- Upgrade to 17.3:
* bsc#1237093, CVE-2025-1094: Harden PQescapeString and allied
functions against invalidly-encoded input strings.
* obsoletes postgresql-tzdata2025a.patch
* https://www.postgresql.org/docs/release/17.3/
* https://www.postgresql.org/about/news/-3015/
* Wed Jan 29 2025 obs.coke518@passinbox.com
- Apply postgresql-tzdata2025a.patch regardless of
whether LLVM JIT is enabled
* Tue Jan 28 2025 max@suse.com
- Fix build, add postgresql-tzdata2025a.patch
* Thu Dec 26 2024 obs.coke518@passinbox.com
- Disable LLVM JIT on loongarch64
* Tue Nov 19 2024 max@suse.com
- Upgrade to 17.2:
* Repair ABI break for extensions that work with struct
ResultRelInfo.
* Restore functionality of ALTER {ROLE|DATABASE} SET role.
* Fix cases where a logical replication slot's restart_lsn could
go backwards.
* Avoid deleting still-needed WAL files during pg_rewind.
* Fix race conditions associated with dropping shared statistics
entries.
* Count index scans in contrib/bloom indexes in the statistics
views, such as the pg_stat_user_indexes.idx_scan counter.
* Fix crash when checking to see if an index's opclass options
have changed.
* Avoid assertion failure caused by disconnected NFA sub-graphs
in regular expression parsing.
* https://www.postgresql.org/about/news/p-2965/
* https://www.postgresql.org/docs/release/17.2/
* Wed Nov 13 2024 max@suse.com
- Upgrade to 17.1:
* CVE-2024-10976, bsc#1233323: Ensure cached plans are marked as
dependent on the calling role when RLS applies to a
non-top-level table reference.
* CVE-2024-10977, bsc#1233325: Make libpq discard error messages
received during SSL or GSS protocol negotiation.
* CVE-2024-10978, bsc#1233326: Fix unintended interactions
between SET SESSION AUTHORIZATION and SET ROLE
* CVE-2024-10979, bsc#1233327: Prevent trusted PL/Perl code from
changing environment variables.
* obsoletes postgresql17-jsonb_jsonpath.patch
* https://www.postgresql.org/about/news/p-2955/
* https://www.postgresql.org/docs/release/17.1/
* Mon Nov 04 2024 max@suse.com
- Add postgresql17-jsonb_jsonpath.patch as a temporary build fix.
* Mon Oct 07 2024 fvogt@suse.com
- Use cmake(LLVM) < instead of <= to also allow building against
LLVM 18.1 and newer 18.x versions
* Thu Sep 26 2024 max@suse.com
- Upgrade to 17.0:
* New memory management system for VACUUM, which reduces memory
consumption and can improve overall vacuuming performance.
* New SQL/JSON capabilities, including constructors, identity
functions, and the JSON_TABLE() function, which converts JSON
data into a table representation.
* Various query performance improvements, including for
sequential reads using streaming I/O, write throughput under
high concurrency, and searches over multiple values in a btree
index.
* Logical replication enhancements, including:
+ Failover control
+ pg_createsubscriber, a utility that creates logical replicas
from physical standbys
+ pg_upgrade now preserves replication slots on both publishers
and subscribers
* New client-side connection option, sslnegotiation=direct, that
performs a direct TLS handshake to avoid a round-trip
negotiation.
* pg_basebackup now supports incremental backup.
* COPY adds a new option, ON_ERROR ignore, that allows a copy
operation to continue in the event of an error.
* https://www.postgresql.org/about/news/p-2936/
* https://www.postgresql.org/docs/17/release-17.html
* Sat Sep 07 2024 mrueckert@suse.de
- Upgrade to 17rc1
https://www.postgresql.org/about/news/postgresql-17-rc1-released-2926/
* Sat Aug 10 2024 mrueckert@suse.de
- Upgrade to 17beta3 (bsc#1229013):
* bsc#1229013, CVE-2024-7348 PostgreSQL relation replacement
during pg_dump executes arbitrary SQL
* https://www.postgresql.org/about/news/p-2910/
* Wed Jun 26 2024 max@suse.com
- Upgrade to 17beta2.
* Mon May 27 2024 max@suse.com
- Upgrade to 17beta1.
- Allow LLVM <= 18
* Mon May 06 2024 max@suse.com
- Prepare for PostgreSQL 17.
- Make sure all compilation and doc generation happens in %build.
* Tue Mar 12 2024 aaronpuchert@alice-dsl.net
- Require LLVM <= 17 for now, because LLVM 18 doesn't seem to work.
* Thu Mar 07 2024 sarah.kriesch@opensuse.org
- Remove constraints file because improved memory usage for s390x
* Thu Feb 29 2024 dimstar@opensuse.org
- Use %patch -P N instead of deprecated %patchN.
* Thu Feb 08 2024 max@suse.com
- Upgrade to 16.2:
* bsc#1219679, CVE-2024-0985: Tighten security restrictions
within REFRESH MATERIALIZED VIEW CONCURRENTLY.
One step of a concurrent refresh command was run under weak
security restrictions. If a materialized view's owner could
persuade a superuser or other high-privileged user to perform a
concurrent refresh on that view, the view's owner could control
code executed with the privileges of the user running REFRESH.
Fix things so that all user-determined code is run as the
view's owner, as expected
* If you use GIN indexes, you may need to reindex after updating
to this release.
* LLVM 18 is now supported.
* https://www.postgresql.org/docs/release/16.2/
* Wed Nov 08 2023 max@suse.com
- Upgrade to 16.1:
* bsc#1216962, CVE-2023-5868: Fix handling of unknown-type
arguments in DISTINCT "any" aggregate functions. This error led
to a text-type value being interpreted as an unknown-type value
(that is, a zero-terminated string) at runtime. This could
result in disclosure of server memory following the text value.
* bsc#1216961, CVE-2023-5869: Detect integer overflow while
computing new array dimensions. When assigning new elements to
array subscripts that are outside the current array bounds, an
undetected integer overflow could occur in edge cases. Memory
stomps that are potentially exploitable for arbitrary code
execution are possible, and so is disclosure of server memory.
* bsc#1216960, CVE-2023-5870: Prevent the pg_signal_backend role
from signalling background workers and autovacuum processes.
The documentation says that pg_signal_backend cannot issue
signals to superuser-owned processes. It was able to signal
these background processes, though, because they advertise a
role OID of zero. Treat that as indicating superuser ownership.
The security implications of cancelling one