Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency org.postgresql:postgresql to v42 [SECURITY] #306

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Mar 16, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.postgresql:postgresql (source) 9.4.1207 -> 42.2.28 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-31197

Impact

What kind of vulnerability is it? Who is impacted?

The PGJDBC implementation of the java.sql.ResultRow.refreshRow() method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. ;, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user.

User applications that do not invoke the ResultSet.refreshRow() method are not impacted.

User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the refreshRow() method on the ResultSet.

For example:

CREATE TABLE refresh_row_example (
  id     int PRIMARY KEY,
  "1 FROM refresh_row_example; SELECT pg_sleep(10); SELECT * " int
);

This example has a table with two columns. The name of the second column is crafted to contain a statement terminator followed by additional SQL. Invoking the ResultSet.refreshRow() on a ResultSet that queried this table, e.g. SELECT * FROM refresh_row, would cause the additional SQL commands such as the SELECT pg_sleep(10) invocation to be executed.

As the multi statement command would contain multiple results, it would not be possible for the attacker to get data directly out of this approach as the ResultSet.refreshRow() method would throw an exception. However, the attacker could execute any arbitrary SQL including inserting the data into another table that could then be read or any other DML / DDL statement.

Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, versions 42.2.26, 42.3.7, and 42.4.1 have been released with a fix.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Check that you are not using the ResultSet.refreshRow() method.

If you are, ensure that the code that executes that method does not connect to a database that is controlled by an unauthenticated or malicious user. If your application only connects to its own database with a fixed schema with no DDL permissions, then you will not be affected by this vulnerability as it requires a maliciously crafted schema.

CVE-2024-1597

Impact

SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.

There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.

Exploitation

To exploit this behavior the following conditions must be met:

  1. A placeholder for a numeric value must be immediately preceded by a minus (i.e. -)
  2. There must be a second placeholder for a string value after the first placeholder on the same line.
  3. Both parameters must be user controlled.

The prior behavior of the driver when operating in simple query mode would inline the negative value of the first parameter and cause the resulting line to be treated as a -- SQL comment. That would extend to the beginning of the next parameter and cause the quoting of that parameter to be consumed by the comment line. If that string parameter includes a newline, the resulting text would appear unescaped in the resulting SQL.

When operating in the default extended query mode this would not be an issue as the parameter values are sent separately to the server. Only in simple query mode the parameter values are inlined into the executed SQL causing this issue.

Example

PreparedStatement stmt = conn.prepareStatement("SELECT -?, ?");
stmt.setInt(1, -1);
stmt.setString(2, "\nWHERE false --");
ResultSet rs = stmt.executeQuery();

The resulting SQL when operating in simple query mode would be:

SELECT --1,'
WHERE false --'

The contents of the second parameter get injected into the command. Note how both the number of result columns and the WHERE clause of the command have changed. A more elaborate example could execute arbitrary other SQL commands.

Patch

Problem will be patched upgrade to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, 42.2.28.jre7

The patch fixes the inlining of parameters by forcing them all to be serialized as wrapped literals. The SQL in the prior example would be transformed into:

SELECT -('-1'::int4), ('
WHERE false --')

Workarounds

Do not use the connection propertypreferQueryMode=simple. (NOTE: If you do not explicitly specify a query mode then you are using the default of extended and are not impacted by this issue.)


Release Notes

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.2.24

Fixed
  • Fix startup regressions caused by PR #​1949. Instead of checking all types by OID, we can return types for well known types PR #​2257
  • Backport PR #​2148
    Avoid leaking server error details through BatchUpdateException when logServerErrorDetail PR #​2254
  • Backpatch PR #​2247
    QueryExecutorImpl.receiveFastpathResult did not properly handle ParameterStatus messages.
    This in turn caused failures for some LargeObjectManager operations. Closes Issue #​2237
    Fixed by adding the missing code path, based on the existing handling in processResults. PR #​2253
  • Backpatch PR #​2242 PgDatabaseMetaData.getIndexInfo() cast operands to smallint PR#2253
    It is possible to break method PgDatabaseMetaData.getIndexInfo() by adding certain custom operators. This PR fixes it.
  • Backpatching PR #​2251 into 42.2 Clean up open connections to fix test failures on omni and appveyor
    use older syntax for COMMENT ON FUNCTION with explicit no-arg parameter parentheses as it is required on server versions before v10.
    Handle cleanup of connection creation in StatementTest, handle cleanup of privileged connection in DatabaseMetaDataTest
  • Backpatch PR #​2245 fixes case where duplicate tables are returned if there are duplicate descriptions oids are not guaranteed to be unique in the catalog PR #​2248
  • Change to updatable result set to use correctly primary or unique keys PR #​2228
    fixes issues introduced in PR #​2199 closes Issue #​2196
  • Fix NPE calling getTypeInfo when alias is null PR #​2220
  • Backpatch PR #​2217 to fix Issue #​2215. OIDs are unsigned integers and were not being handled correctly when they exceeded the size of signed integers

v42.2.23

Changed
  • Renewed the SSL keys for testing
Fixed
  • getColumnPrecision for Numeric when scale and precision not specified now returns 0 instead of 131089 fixes: Issue #​2188
  • Calling refreshRow on an updateable resultset made the row readOnly. Fixes Issue #​2193
  • results should be updateable if there is a unique index available PR#2199 Fixes Issue #​2196
  • Rework sql type gathering to use OID instead of typname.
    This does not have the issue of name shadowing / qual-names, and has the added benefit of fixing #​1948.

v42.2.22

Fixed
  • Regression caused by pgjdbc/pgjdbc@4fa2d5b. Unfortunately
    due to the blocking nature of the driver and issues with seeing if there is a byte available on a blocking stream when it is encrypted
    this introduces unacceptable delays in returning from peek(). At this time there is no simple solution to this.

v42.2.21

Changed
  • Update docs to reflect deprecated DataSource API setServerName backpatch PR#2057 PR #​2105
Fixed

v42.2.20

Fixed
  • Partitioned indexes were not found fixes #​2078 PR #​2087
  • isValid() timeout should not be blocked #​1943 Cherry-picked #​2076
    The usage of setQueryTimeout(); with the same value as the setNetworkTimeout(); is blocking the current transaction timeout.
    The timeouts are blocking each other with this approach.
  • DatabaseMetaData.getTables returns columns in UPPER case as per the spec PR #​2092 fixes Issue #​830

v42.2.19

Notable Changes

  • Now the driver uses SASLprep normalization for SCRAM authentication fixing some issues with spaces in passwords.
  • If closeOnCompletion is called on an existing statement and the statement is executed a second time it will fail.
Changed
  • Perf: avoid duplicate PGStream#changeSocket calls
  • Fix: Actually close unclosed results. Previously was not closing the first unclosed result fixes #​1903 (#​1905).
    There is a small behaviour change here as a result. If closeOnCompletion is called on an existing statement and the statement
    is executed a second time it will fail.
Added
  • Verify code via forbidden-apis (jdk-internal and jdk-non-portable signatures) PR #​2012
Fixed
  • Fix Binary transfer for numeric fixes #​1935
  • Fix Allow specifying binaryTransferEnable even for those types that are not enabled by default
  • Fix: properly set cancel socket timeout (#​2044)
  • Fix "Required class information missing" when old org.jboss:jandex parses pgjdbc classes [issue 2008]https://github.com/pgjdbc/pgjdbc/issues/200808]
  • Fix PGCopyInputStream returning the last row twice when reading with CopyOut API [issue 2016]https://github.com/pgjdbc/pgjdbc/issues/201616]
  • Fix Connection.isValid() to not wait longer than existing network timeout PR #​2040
  • Fix Passwords with spaces (ASCII and non-ASCII) now work with SCRAM authentication (driver now uses SASLprep normalization) PR #​2052
  • Fix DatabaseMetaData.getTablePrivileges() to include views, materialized views, and foreign tables PR #​2049
  • Fix Resolve ParseError in PGtokenizer fixes #​2050
  • Fix return metadata privileges for views and foreign tables

v42.2.18

Fixed
  • Unfortunately changing the default of gssEncMode to ALLOW was not enough. The GSSEncMode Enum was not changed as well
    fixed in #​1920

v42.2.17

Changed
  • Change default of gssEncMode to ALLOW. PostgreSQL can deal with PREFER but there are cloud providers that did not implement the protocol properly. Libpq gets around this by checking for a GSS credential cache before attempting the connection. This is possible in JDK 8 and up, but not JDK6, or JDK7 fixes Issue #​1868 PR #​1913
Added
Fixed
  • Avoid NullPointerException when receiving PGbox, PGcircle, PGline, PGlseg, PGpath, PGpoint, PGpolygon, and PGmoney [PR 1873] https://github.com/pgjdbc/pgjdbc/pull/18733).
  • The driver returns enum and jsonb arrays elements as String objects (like in 42.2.14 and earlier versions) PR 1879.
  • PgTokenizer was ignoring last empty token PR #​1882
  • Remove osgi from karaf fixes Issue #​1891 PR #​1902
  • Handle nulls when the following classes are used: PGbox, PGcircle, PGline, PGlseg, PGpath, PGpoint, PGpolygon, and PGmoney.

v42.2.16

Known issues
  • The driver returns enum and jsonb arrays elements are returned as PGobject instances (fixed in 42.2.17)
Fixed
  • Arrays sent in binary format are now sent as 1 based. This was a regression for multi-dimensional arrays as well as text/varchar, oid and bytea arrays.
    Since 42.2.0 single dimensional arrays were stored 0 based. They are now sent 1 based which is the SQL standard, and the default
    for Postgres when sent as strings such as '{1,2,3}'. Fixes issue 1860 in PR 1863.

v42.2.15

Known issues
  • The driver returns enum and jsonb arrays elements are returned as PGobject instances (fixed in 42.2.17)
Changed
  • Rename source distribution archive to postgresql-$version-jdbc-src.tar.gz, and add top-level archive folder ba017507
  • Add the ability to connect with a GSSAPI encrypted connection. As of PostgreSQL version 12 GSSAPI encrypted connections
    are possible. Now the driver will attempt to connect to the server with a GSSAPI encrypted connection. If that fails then
    attempt an SSL connection, finally falling back to a plain text connection. All of this is controlled using both the gssEncMode
    and sslMode parameters which, in concert with pg_hba.conf, determine if a particular mode is allowed and or required. PR 1821 ad921b9e
  • Source release archive shades dependencies (scram) by default. It affects only postgresql-version-src.tar.gz release artifact f0301eb9
  • Refactor decoding arrays PR 1194
Added
  • Verify nullness with CheckerFramework 6e524ae5
Fixed
  • Avoid preparedStatement leak when using updateable ResultSet via insert/update/refreshRow PR 1815 9a0d2b18
  • Change order of checks for oid vs primary keys. OID's have been deprecated. PR 1613
  • Close certificate file stream. PR 1837
  • Make sure socketTimeout is enforced PR 1831
  • Assume PKCS-8 SSL key format by default PR 1819
  • Preserve unquoted unicode whitespace in array literals PR 1266

v42.2.14

Changed
  • Reverted com.github.waffle:waffle-jna, org.osgi:org.osgi.core, org.osgi:org.osgi.enterprise dependencies to optional=true in Maven PR 1797.

v42.2.13

Notable Changes

  • Security: The primary reason to release this version and to continue the 42.2.x branch is for CVE-2020-13692.
    Reported by David Dworken, this is an XXE and more information can be found here.
    Sehrope Sarkuni reworked the XML parsing to provide a solution in commit 14b62aca4.
  • The build system has been changed to Gradle thanks to Vladimir PR 1627.
  • Regression: com.github.waffle:waffle-jna, org.osgi:org.osgi.core, org.osgi:org.osgi.enterprise dependencies are listed as non-optional issue 1975.
Changed
Added
  • jre-6 was added back to allow us to release fixes for all artifacts in the 42.2.x branch PR 1787
Fixed
  • I/O error ru translation PR 1756
  • Issue 1771 PgDatabaseMetaData.getFunctions() returns
    procedures fixed in PR 1774
  • getTypeMap() returning null PR 1781
  • Updated openssl example command PR 1763
  • fix documentation with ordered list to be displayed correctly PR 1783

v42.2.12

Notable changes

We have released 42.2.12 to correct regressions in this version: Specifically

  • PR 1729 was reverted as this is a breaking change
  • PR 1719 has been reverted as it introduced errors in the PgType Cache

We recommend that version 42.2.11 not be used.

Changed
  • reverted PR 1729 throw an error instead of silently rolling back a commit error.
    This change introduced a breaking change which will be moved to 42.3.0
  • reverted PR 1719 add support for full names of data types (#​1719)

v42.2.11

Notable changes
As mentioned above this version is broken and should not be used.

Changed
  • Reverted PR 1641. The driver will now wait for EOF when sending cancel signals.
  • DatabaseMetaData#getProcedures returns only procedures (not functions) for PostgreSQL 11+ PR 1723
  • Convert silent rollbacks into exception if application sends commit or xa.prepare command PR 1729
Added
  • feat: raiseExceptionOnSilentRollback connection option to configure if silent rollback should raise an exception PR 1729
  • feat: Expose ByteStreamWriter in CopyManager PR 1702
  • feat: add way to distinguish base and partitioned tables in PgDatabaseMetaData.getTables PR 1708
  • refactor: introduce tuple abstraction (rebased) PR 1701
  • refactor: make PSQLState enum consts for integrity constraint violations PR 1699
  • test: add makefile to create ssl certs PR 1706
Fixed
  • fix: Always use . as decimal separator in PGInterval PR 1705
  • fix: allow DatabaseMetaData.getColumns to describe an unset scale PR 1716
Changed
  • Build system update from Maven to Gradle PR 1627
Added
  • docker-compose image for creating test databases (see docker folder)

v42.2.10

Changed
  • (!) Regression: remove receiving EOF from backend after cancel PR 1641. The regression is that the subsequent query might receive the cancel signal.
Added
Fixed
  • Cleanup PGProperty, sort values, and add some missing to docs PR 1686
  • Fixing LocalTime rounding (losing precision) PR 1570
  • Network Performance of PgDatabaseMetaData.getTypeInfo() method PR 1668
  • Issue #​1680 updating a boolean field requires special handling to set it to t or f instead of true or false PR 1682
  • bug in pgstream for replication PR 1681
  • Issue #​1677 NumberFormatException when fetching PGInterval with small value PR 1678
  • Metadata queries improvements with large schemas. PR 1673
  • Utf 8 encoding optimizations PR 1444
  • interval overflow PR 1658
  • Issue #​1482 where the port was being added to the GSSAPI service name PR 1651
  • remove receiving EOF from backend after cancel since according to protocol the server closes the connection once cancel is sent (connection reset exception is always thrown) PR 1641
  • Unable to register out parameter Issue #​1646 PR 1648

v42.2.9

Changed
Added
  • read only transactions PR 1252
  • pkcs12 key functionality PR 1599
  • new "escapeSyntaxCallMode" connection property PR 1560
  • connection property to limit server error detail in exception exceptions PR 1579
  • cancelQuery() to PGConnection public interface PR 1157
  • support for large update counts (JDBC 4.2) PR 935
  • Add Binary Support for Oid.NUMERIC and Oid.NUMERIC_ARRAY PR 1636
Fixed
  • issue 716 getTypeInfo() may not return data in the order specified in Oracle documentation PR 1506
  • PgSQLXML setCharacterStream() results in null value PR 1608
  • get correct column length for simple domains PR 1605
  • NPE as a result of calling executeQuery twice on a statement fixes issue #​684 [PR 1610] https://github.com/pgjdbc/pgjdbc/pull/16100)
  • handle numeric domain types PR 1611
  • pginterval to take iso8601 strings PR 1612
  • remove currentTimeMillis from code, tests are OK PR 1617
  • NPE when calling setNull on a PreparedStatement with no parameters PR 1620
  • allow OUT parameter registration when using CallableStatement native CALL PR 1561
  • add release save point into execute with batch PR 1583
  • Prevent use of extended query protocol for BEGIN before COPY PR 1639

v42.2.8

Changed
Added
Fixed
  • fix: Revert inet default Java type to PGObject and handle values with net masks PR 1568

v42.2.7

Changed
Added
  • Expose parameter status messages (GUC_REPORT) to the user PR 1435
  • Add automatic module name to manifest for jdk9+ PR 1538
  • Log ignoring rollback when no transaction in progress PR 1549
  • Map inet type to InetAddress PR 1527 issue 1134
Fixed
  • fix issue 1547 As long as peek returns some bytes do not reset the timeout, this allows us to continue checking until any async notifies are consumed PR 1548
  • fix: issue 1466 In logical decoding the if the backend was requesting a reply we… PR 1467
  • fix: issue 1534 Proleptic java.time support PR 1539
  • fix Ensure isValid() will not last more than timeout seconds PR 1557

v42.2.6

Known issues
  • Waffle has dropped support for 1.6, 1.7 as such the new waffle 1.9.x is only available in jre8
  • Microseconds in timestamps might be truncated when transferred in binary mode
  • 24:00 time handling is not consistent issue 1385
  • Unexpected packet type during stream replication issue 1466
  • Driver goes missing after OSGi bundle restart issue 1476
Changed
  • Change IS_GENERATED to IS_GENERATEDCOLUMN as per spec PR 1485
  • Fix missing metadata columns, and misspelled columns in PgDatabaseMetaData#getTables PR 1323
Added
  • CI tests with Java 11, and Java EA
  • Support temporary replication slots in ReplicationCreateSlotBuilder PR 1306
  • Support PostgreSQL 11, 12
  • Return function (PostgreSQL 11) columns in PgDatabaseMetaData#getFunctionColumns
  • Return information on create replication slot, now the snapshot_name is exported
    to allow a consistent snapshot in some uses cases. PR 1335
Fixed
  • Fixed async copy performance (1ms per op) in SSL mode PR 1314
  • Return Double.NaN for 'NaN'::numeric PR 1304
  • Performance issue in PgDatabaseMetaData#getTypeInfo with lots of types in DB PR 1302
  • PGCopyInputStream#read should cap values to [0, 255], -1 PR 1349
  • Fixes LocalDateTime handling of BC dates PR 1388
  • Release savepoints in autosave mode to prevent out of shared memory errors at the server side PR 1409
  • Fix execution with big decimal in simple query mode. PR 1463
  • Fix rounding for timestamps truncated to dates before 1970 PR 1502

v42.2.5

Known issues
Changed
  • ssl=true implies sslmode=verify-full, that is it requires valid server certificate cdeeaca4

targetServerType=master has been deprecated in favour of targetServerType=primary. master
will still be accepted but not documented.

Added
  • Support for sslmode=allow/prefer/require cdeeaca4
Fixed
  • Security: added server hostname verification for non-default SSL factories in sslmode=verify-full (CVE-2018-10936) cdeeaca4
  • Updated documentation on SSL configuration fa032732
  • Updated Japanese translations PR 1275
  • IndexOutOfBounds on prepared multistatement with insert values c2885dd0

v42.2.4

Changed
  • PreparedStatement.setNull(int parameterIndex, int t, String typeName) no longer ignores the typeName
    argument if it is not null PR 1160
Fixed
  • Fix treatment of SQL_TSI_YEAR, SQL_TSI_WEEK, SQL_TSI_MINUTE PR 1250
  • Map integrity constraint violation to XA_RBINTEGRITY instead of XAER_RMFAIL PR 1175 f2d1352c

v42.2.3

Known issues
  • SQL_TSI_YEAR is treated as hour, SQL_TSI_WEEK is treated as hour, SQL_TSI_MINUTE is treated as second
Changed
  • Reduce the severity of the error log messages when an exception is re-thrown. The error will be
    thrown to caller to be dealt with so no need to log at this verbosity by pgjdbc PR 1187
  • Deprecate Fastpath API PR 903
  • Support parenthesis in {oj ...} JDBC escape syntax PR 1204
  • ubenchmark module moved pgjdbc/benchmarks repository due to licensing issues PR 1215
  • Include section on how to submit a bug report in CONTRIBUTING.md PR 951
Fixed
  • getString for PGObject-based types returned "null" string instead of null PR 1154
  • Field metadata cache can be disabled via databaseMetadataCacheFields=0 PR 1052
  • Properly encode special symbols in passwords in BaseDataSource PR 1201
  • Adjust date, hour, minute, second when rounding nanosecond part of a timestamp PR 1212
  • perf: reduce memory allocations in query cache PR 1227
  • perf: reduce memory allocations in SQL parser PR 1230, PR 1233
  • Encode URL parameters in BaseDataSource PR 1201
  • Improve JavaDoc formatting PR 1236

v42.2.2

Fixed
  • Fix startup regressions caused by PR #​1949. Instead of checking all types by OID, we can return types for well known types PR #​2257
  • Backport PR #​2148
    Avoid leaking server error details through BatchUpdateException when logServerErrorDetail PR #​2254
  • Backpatch PR #​2247
    QueryExecutorImpl.receiveFastpathResult did not properly handle ParameterStatus messages.
    This in turn caused failures for some LargeObjectManager operations. Closes Issue #​2237
    Fixed by adding the missing code path, based on the existing handling in processResults. PR #​2253
  • Backpatch PR #​2242 PgDatabaseMetaData.getIndexInfo() cast operands to smallint PR#2253
    It is possible to break method PgDatabaseMetaData.getIndexInfo() by adding certain custom operators. This PR fixes it.
  • Backpatching PR #​2251 into 42.2 Clean up open connections to fix test failures on omni and appveyor
    use older syntax for COMMENT ON FUNCTION with explicit no-arg parameter parentheses as it is required on server versions before v10.
    Handle cleanup of connection creation in StatementTest, handle cleanup of privileged connection in DatabaseMetaDataTest
  • Backpatch PR #​2245 fixes case where duplicate tables are returned if there are duplicate descriptions oids are not guaranteed to be unique in the catalog PR #​2248
  • Change to updatable result set to use correctly primary or unique keys PR #​2228
    fixes issues introduced in PR #​2199 closes Issue #​2196
  • Fix NPE calling getTypeInfo when alias is null PR #​2220
  • Backpatch PR #​2217 to fix Issue #​2215. OIDs are unsigned integers and were not being handled correctly when they exceeded the size of signed integers

v42.2.1

Notable Changes

  • Now the driver uses SASLprep normalization for SCRAM authentication fixing some issues with spaces in passwords.
  • If closeOnCompletion is called on an existing statement and the statement is executed a second time it will fail.
Changed
  • Perf: avoid duplicate PGStream#changeSocket calls
  • Fix: Actually close unclosed results. Previously was not closing the first unclosed result fixes #​1903 (#​1905).
    There is a small behaviour change here as a result. If closeOnCompletion is called on an existing statement and the statement
    is executed a second time it will fail.
Added
  • Verify code via forbidden-apis (jdk-internal and jdk-non-portable signatures) PR #​2012
Fixed
  • Fix Binary transfer for numeric fixes #​1935
  • Fix Allow specifying binaryTransferEnable even for those types that are not enabled by default
  • Fix: properly set cancel socket timeout (#​2044)
  • Fix "Required class information missing" when old org.jboss:jandex parses pgjdbc classes [issue 2008]https://github.com/pgjdbc/pgjdbc/issues/200808]
  • Fix PGCopyInputStream returning the last row twice when reading with CopyOut API [issue 2016]https://github.com/pgjdbc/pgjdbc/issues/201616]
  • Fix Connection.isValid() to not wait longer than existing network timeout PR #​2040
  • Fix Passwords with spaces (ASCII and non-ASCII) now work with SCRAM authentication (driver now uses SASLprep normalization) PR #​2052
  • Fix DatabaseMetaData.getTablePrivileges() to include views, materialized views, and foreign tables PR #​2049
  • Fix Resolve ParseError in PGtokenizer fixes #​2050
  • Fix return metadata privileges for views and foreign tables

v42.2.0

Known issues
  • SCRAM does not work as scram:client library is not packaged
  • client_encoding has to be UTF8 even with allowEncodingChanges=true
Added
  • Support SCRAM-SHA-256 for PostgreSQL 10 in the JDBC 4.2 version (Java 8+) using the Ongres SCRAM library. PR 842
  • Make SELECT INTO and CREATE TABLE AS return row counts to the client in their command tags. Issue 958 PR 962
  • Support Subject Alternative Names for SSL connections. PR 952
  • Support isAutoIncrement metadata for PostgreSQL 10 IDENTITY column. PR 1004
  • Support for primitive arrays PR#887 3e0491a
  • Implement support for get/setNetworkTimeout() in connections. PR 849
  • Make GSS JAAS login optional, add an option "jaasLogin" PR 922 see Connecting to the Database
Changed
  • Improve behaviour of ResultSet.getObject(int, Class). PR 932
  • Parse CommandComplete message using a regular expression, allows complete catch of server returned commands for INSERT, UPDATE, DELETE, SELECT, FETCH, MOVE, COPY and future commands. PR 962
  • Use 'time with timezone' and 'timestamp with timezone' as is and ignore the user provided Calendars, 'time' and 'timestamp' work as earlier except "00:00:00" now maps to 1970-01-01 and "24:00:00" uses the system provided Calendar ignoring the user-provided one PR 1053
  • Change behaviour of multihost connection. The new behaviour is to try all secondaries first before trying the master PR 844.
  • Avoid reflective access to TimeZone.defaultTimeZone in Java 9+ PR 1002 fixes Issue 986
Fixed
  • Make warnings available as soon as they are received from the server. This is useful for long running queries, where it can be beneficial to know about a warning before the query completes. PR 857
  • Use 00:00:00 and 24:00:00 for LocalTime.MIN/MAX. PR 992
  • Now the DatabaseMetaData.getFunctions() implementation complies with the JDBC docs. PR 918
  • Execute autosave/rollback savepoint via simple queries always to prevent "statement S_xx not exists" when autosaving fixes Issue #​955
  • Received resultset tuples, but no field structure for them" when bind failure happens on 5th execution of a statement Issue 811
Removed
  • Drop support for the (insecure) crypt authentication method. PR 1026
Deprecated
  • Reintroduce Driver.getVersion for backward compatibility reasons, mark it as deprecated as application should not rely on it (regression since 42.0.0) 50d5dd3e

v42.1.4

Changed
  • Statements with non-zero fetchSize no longer require server-side named handle. This might cause issues when using old PostgreSQL versions (pre-8.4)+fetchSize+interleaved ResultSet processing combo. Issue 869

v42.1.3

Fixed
  • Fix NPE in PreparedStatement.executeBatch in case of empty batch (regression since 42.1.2). PR 867

v42.1.2

Changed
  • Better logic for returning keyword detection. Previously, pgjdbc could be defeated by column names that contain returning, so pgjdbc failed to "return generated keys" as it considered statement as already having returning keyword PR 824 201daf1d
  • Use server-prepared statements for batch inserts when prepareThreshold>0. Note: this enables batch to use server-prepared from the first executeBatch() execution (previously it waited for prepareThreshold executeBatch() calls) abc3d9d7
Fixed
  • Replication API: fix issue in #​834 setting statusIntervalUpdate causes high CPU load. PR 835 59236b74
Regressions
  • NPE in PreparedStatement.executeBatch in case of empty batch. Fixed in 42.1.3

v42.1.1

Fixed
  • Fix infinite dates that might be corrupted when transferred in binary for certain JREs. For instance, 5881610-07-11 instead of infinity. 1e5bf563

v42.1.0

Added
  • Support fetching a REF_CURSOR using getObject PR 809
Fixed
  • Fix data being truncated in setCharacterStream (bug introduced in 42.0.0) PR 802
  • Fix calculation of lastReceiveLSN for logical replication PR 801
  • Make sure org.postgresql.Driver is loaded when accessing though DataSource interface Issue 768
Regressions
  • There's no 42.1.0.jre6 version due to infinity handling bug. Fixed in 42.1.1.jre6

v42.0.0

Added
Changed
  • Version bumped to 42.0.0 to avoid version clash with PostgreSQL version and follow a better semantic versioning. 46634923
  • Ensure executeBatch() can be used with pgbouncer. Previously pgjdbc could use server-prepared statements for batch execution even with prepareThreshold=0. Issue 742
  • Error position is displayed when SQL has unterminated literals, comments, etc. Issue 688
  • Strict handling of accepted values in getBoolean and setObject(BOOLEAN), now it follows PostgreSQL accepted values, only 1 and 0 for numeric types are accepted (previously !=0 was true). PR 732
  • Return correct versions and name of the driver. PR 668
Removed
  • Support for PostgreSQL versions below 8.2 was dropped. PR 661
Deprecated
  • Deprecated PGPoolingDataSource, instead of this class you should use a fully featured connection pool like HikariCP, vibur-dbcp, commons-dbcp, c3p0, etc. PR 739
Regressions
  • Data truncated in setCharacterStream. Fixed in 42.1.0
  • No suitable driver found for jdbc:postgresql when using a DataSource implementation. Fixed in 42.1.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/maven-org.postgresql-postgresql-vulnerability branch from 5b4d924 to 3b7a11d Compare February 22, 2024 05:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants