{"affected":[{"ecosystem_specific":{"binaries":[{"postgresql16":"16.11-160000.1.1","postgresql16-contrib":"16.11-160000.1.1","postgresql16-devel":"16.11-160000.1.1","postgresql16-docs":"16.11-160000.1.1","postgresql16-llvmjit":"16.11-160000.1.1","postgresql16-llvmjit-devel":"16.11-160000.1.1","postgresql16-plperl":"16.11-160000.1.1","postgresql16-plpython":"16.11-160000.1.1","postgresql16-pltcl":"16.11-160000.1.1","postgresql16-server":"16.11-160000.1.1","postgresql16-server-devel":"16.11-160000.1.1","postgresql16-test":"16.11-160000.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"postgresql16","purl":"pkg:rpm/opensuse/postgresql16&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"16.11-160000.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for postgresql16 fixes the following issues:\n\nSecurity fixes:\n\n- CVE-2025-12817: Missing check for CREATE\n  privileges on the schema in CREATE STATISTICS allowed table\n  owners to create statistics in any schema, potentially leading\n  to unexpected naming conflicts (bsc#1253332)\n- CVE-2025-12818: Several places in libpq were not\n  sufficiently careful about computing the required size of a\n  memory allocation. Sufficiently large inputs could cause\n  integer overflow, resulting in an undersized buffer, which\n  would then lead to writing past the end of the buffer (bsc#1253333)\n\nOther fixes:\n\n  - Upgrade to 16.11\n","id":"openSUSE-SU-2026:20130-1","modified":"2026-01-29T10:55:17Z","published":"2026-01-29T10:55:17Z","references":[{"type":"ADVISORY","url":null},{"type":"REPORT","url":"https://bugzilla.suse.com/1253332"},{"type":"REPORT","url":"https://bugzilla.suse.com/1253333"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-12817"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-12818"}],"related":["CVE-2025-12817","CVE-2025-12818"],"summary":"Security update for postgresql16","upstream":["CVE-2025-12817","CVE-2025-12818"]}