Home > mailing lists

PostgreSQL JDBC versions 42.4.1/42.2.26 Security Update - Mailing list pgsql-announce

From	JDBC Project via PostgreSQL Announce
Subject	PostgreSQL JDBC versions 42.4.1/42.2.26 Security Update
Date	August 15, 2022 16:21:53
Msg-id	166056971352.655.12904366583007555449@wrigleys.postgresql.org Whole thread Raw
List	pgsql-announce

Tree view

PostgreSQL JDBC versions 42.4.1/42.2.26 Security Update

The PostgreSQL JDBC team have released 42.2.26 and 42.4.1 to address a security issue: CVE-2022-31197. This is only an issue if you are using ResultSet.refreshRow()

Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands. More information about this security advisory is available here

Thanks to Sho Kato https://github.com/kato-sho for finding and reporting the issue

Regards,

pgjdbc team

This email was sent to you from JDBC Project. It was delivered on their behalf by the PostgreSQL project. Any questions about the content of the message should be sent to JDBC Project.

You were sent this email as a subscriber of the pgsql-announce mailinglist, for for one of the content tags Related Open Source or Security. To unsubscribe from further emails, or change which emails you want to receive, please click the personal unsubscribe link that you can find in the headers of this email, or visit https://lists.postgresql.org/unsubscribe/.

pgsql-announce by date:

From: PostgreSQL Global Development Group
Date: 11 August 2022, 16:14:43
Subject: PostgreSQL 14.5, 13.8, 12.12, 11.17, 10.22, and 15 Beta 3 Released!

From: CloudNativePG via PostgreSQL Announce
Date: 17 August 2022, 10:57:53
Subject: CloudNativePG 1.16.1 and 1.15.3 Released!

PostgreSQL JDBC versions 42.4.1/42.2.26 Security Update - Mailing list pgsql-announce

PostgreSQL JDBC versions 42.4.1/42.2.26 Security Update

Previous

Next