Postgres Pro
Downloads
Home   >   mailing lists

PostgreSQL JDBC 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 Security update for CVE-2022-41946 - Mailing list pgsql-announce

From JDBC Project via PostgreSQL Announce
Subject PostgreSQL JDBC 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 Security update for CVE-2022-41946
Date
Msg-id 166922437667.1896.12613448576418013558@wrigleys.postgresql.org
Whole thread Raw
List pgsql-announce
Tree view
 

PostgreSQL JDBC 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 Security update for CVE-2022-41946

The PostgreSQL JDBC team have released 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 to address a security issue: CVE-2022-41946. (Note there is no fix for 42.2.26.jre6 see the advisory for workarounds) This is only an issue if you are using PreparedStatement.setText() or PreparedStatement.setBytea() where the String or bytea argument is larger than 51200 bytes. At which point the driver will buffer to disk. To do this it creates a temporary file which in previous versions could be read by other users on the client system. Note this only effects unix like systems. See the security advisory for the details. Thanks to Jonathan Leitschuh for finding and reporting the issue.

This email was sent to you from JDBC Project. It was delivered on their behalf by the PostgreSQL project. Any questions about the content of the message should be sent to JDBC Project.

You were sent this email as a subscriber of the pgsql-announce mailinglist, for for one of the content tags Related Open Source or Security. To unsubscribe from further emails, or change which emails you want to receive, please click the personal unsubscribe link that you can find in the headers of this email, or visit https://lists.postgresql.org/unsubscribe/.
 

pgsql-announce by date:

Previous
From: Datasentinel via PostgreSQL Announce
Date:
Subject: Datasentinel version 2022.11 released
Next
From: Microsoft Azure via PostgreSQL Announce
Date:
Subject: Call for Proposals is open for Citus Con: An Event for Postgres 2023!