Home > mailing lists

pgjdbc 42.2.5 released to address potential security issue - Mailing list pgsql-jdbc

From	Dave Cramer
Subject	pgjdbc 42.2.5 released to address potential security issue
Date	August 28, 2018 23:47:56
Msg-id	CADK3HHLFw9jaRqzPxvsfOWMJK65aZE7m2TZuWRFNQjunoh_BGA@mail.gmail.com Whole thread Raw
List	pgsql-jdbc

Tree view

A potential security issue ([CVE-2018-10936](https://access.redhat.com/security/cve/CVE-2018-10936)) has been addressed. It was theoretically possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver.

During the process of investigating this a number of changes have been made.

`ssl=true` now means `verify-full`. This is a diversion from libpq which defaults to no validation or verification. With `ssl=true` or `verify-full` the driver will verify the ssl certificate and validate that the host is the host named in the certificate.

The driver now also supports allow and prefer, see [https://jdbc.postgresql.org/documentation/head/ssl-client.html](ssl-client) for details.

Regards,

Dave Cramer

pgsql-jdbc by date:

From: Vladimir Sitnikov
Date: 27 August 2018, 22:27:19
Subject: [pgjdbc/pgjdbc] d43398: docs: reflect 42.2.5 release in readme.md

From: Dave Cramer
Date: 29 August 2018, 21:51:03
Subject: [pgjdbc/pgjdbc] f26615: Update README.md

pgjdbc 42.2.5 released to address potential security issue - Mailing list pgsql-jdbc

Previous

Next