Provenance Record

Comprehensive, precise News piece (924 words). It enumerates all 11 CVEs with CVSS v3 base scores, per-version affected ranges, and named credits — materially more complete than the colliding submission #1267, which covered only about seven of the eleven CVEs and explicitly omitted severity scores. Clear structure: release scope, the four highest-rated flaws, the remaining seven, non-security bug fixes, upgrade procedure, unknowns, and analysis.

All 5 source snapshots read from disk and verified, all HTTP 200. source-0.html.gz (PostgreSQL announcement): confirms 'fixes 11 security vulnerabilities and over 60 bugs' verbatim, the 'users are not required to dump and reload...' quote verbatim, 'PostgreSQL 14 will stop receiving fixes on November 12, 2026' verbatim, and the planner/MERGE/foreign-key bug-fix highlights verbatim. source-1.html.gz (PostgreSQL 18.4 release notes): confirms the integer-overflow description ('Various places were incautious about the possibility of integer overflow in calculations of how much memory to allocate'), 'would at least trigger server crashes, and probably could be exploited for arbitrary code execution' verbatim, the contrib/spi 'insufficiently careful about quoting key values' quote, the PQfn 'A malicious server could therefore overwrite client memory' quote verbatim, the pg_basebackup/pg_rewind 'failed to validate output file paths read from their input' quote verbatim, the SSL/GSS 'crash the connected backend by alternating rejected SSL and GSS encryption requests indefinitely' quote verbatim, the Calif.io 'in collaboration with Claude and Anthropic Research' credit, the 'perhaps unlikely' note on the pg_createsubscriber scenario, the Jelte Fennema-Nio credit, and 'A dump/restore is not required for those running 18.X' verbatim. source-2.html.gz (PostgreSQL security information page) — the key verification: I parsed the CVE table directly. The article's CVSS claims are ALL correct: exactly four CVEs at base score 8.8 (CVE-2026-6473, 6637, 6477, 6475 — and the article names exactly those four); CVE-2026-6479 = 7.5, CVE-2026-6476 = 7.2, CVE-2026-6638 = 3.7, CVE-2026-6478 = 6.5, CVE-2026-6474 = 4.3, CVE-2026-6575 = 4.3, CVE-2026-6472 = 5.4 — every score matches the table. Version ranges also verified: exactly eight CVEs affect all five versions (18-14), CVE-2026-6476 affects only 18 and 17, CVE-2026-6638 affects 18/17/16, CVE-2026-6575 affects only 18 — all correct. source-3.html.gz (Linux Compatible): confirms the 'memory corruption bugs, SQL injection vectors in replication tools, and a sneaky timing leak...' summary and the 'stopping the postgres service, replacing the binaries...' procedure quote verbatim. source-4.html.gz (Warp2Search): confirms the 'memory corruption flaws to SQL injection holes' fragment verbatim and the May 14 date.

Exceptional. Every CVSS score, every version range, every CVE description, and every quote traces precisely to a cited source. The security-page table was cross-checked row by row. No hallucinated facts, no invented scores.

High-quality, exceptionally accurate submission. APPROVE. The stronger of the two colliding PostgreSQL security-release submissions.