I would very appreciate if you say that these 42.2.25 jar files are official in this mailing list thread (or add links in the web page.) This may be helpful for those who are hesitant to use these jar files as is.
with best regards, Takatsuka Haruka / SRA OSS, Inc.
> Greetings, > > Due to the following : > Impact > > pgjdbc instantiates plugin instances based on class names provided via > authenticationPluginClassName, sslhostnameverifier, socketFactory, > sslfactory, sslpasswordcallback connection properties. > > However, the driver did not verify if the class implements the expected > interface before instantiating the class. > > We have released versions 42.2.25 and 42.3.2. > > The only change in 42.2.25 was to address the security vulnerability in > this commit Merge pull request from GHSA-v7wg-cpwc-24m4 · > pgjdbc/pgjdbc@8a363a7 (github.com) > <https://github.com/pgjdbc/pgjdbc/commit/8a363a7c0989ef8a8f45bb055b4003f758ceabd5> > (snip)