With release of PostgreSQL 18.1 this CVE vulnerability was addressed by upstream and should be deployed on all Fedora/RedHat distributions involved.

Please refer also to bug #2416111 which shows how libpq breaks compatibility with upstream.

https://bugzilla.redhat.com/show_bug.cgi?id=2416111

-----------

GENERAL update policy:

Since Postgres / fedora provide only the latest libpq library (downward compatible) usable with all supported PostgreSQL versions, this library should always be updatede when a new version of the highest supported major version is released.

This was the last time with the release of 18.1 at  2025-11-13 by PostgreSQL Global Development Group.

https://www.postgresql.org/about/news/postgresql-181-177-1611-1515-1420-and-1323-released-3171/

At every minor release there may be also bug fixes in libpq, which can be important to the corresponding postgres version.

The library libpq should be automatically updated at every minor and major release of PostgreSQL like all the postgresql rpms in the corresponding distribution.

My customers systems seem to be at risk to this vulnerability by using the fedora supplied libpq (not updated), and the pgdg_common supplied libpq5 is not usable with php85 (see bug #2416111).

I propose to change the priority to URGENT, but don't want to create a separate bug report.

Is it possible to implement the same update policy like the normal postgresqlxx rpms for libpq?


Thank you for your support!

Hans Buschmann

Since it's medium severity and there is no SLAs in Fedora, it's in the backlog. If you want to speed it up, feel free to prepare PR in https://src.fedoraproject.org/rpms/libpq