Thread: PostgreSQL JDBC 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 Security update for CVE-2022-41946

PostgreSQL JDBC 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 Security update for CVE-2022-41946

From

JDBC Project via PostgreSQL Announce

Date:

23 November 2022, 20:26:16

PostgreSQL JDBC 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 Security update for CVE-2022-41946

The PostgreSQL JDBC team have released 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 to address a security issue: CVE-2022-41946. (Note there is no fix for 42.2.26.jre6 see the advisory for workarounds) This is only an issue if you are using PreparedStatement.setText() or PreparedStatement.setBytea() where the String or bytea argument is larger than 51200 bytes. At which point the driver will buffer to disk. To do this it creates a temporary file which in previous versions could be read by other users on the client system. Note this only effects unix like systems. See the security advisory for the details. Thanks to Jonathan Leitschuh for finding and reporting the issue.

This email was sent to you from JDBC Project. It was delivered on their behalf by the PostgreSQL project. Any questions about the content of the message should be sent to JDBC Project.

You were sent this email as a subscriber of the pgsql-announce mailinglist, for for one of the content tags Related Open Source or Security. To unsubscribe from further emails, or change which emails you want to receive, please click the personal unsubscribe link that you can find in the headers of this email, or visit https://lists.postgresql.org/unsubscribe/.