Update dependency org.postgresql:postgresql to v42 [SECURITY] #306
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
9.4.1207
->42.2.28
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2022-31197
Impact
What kind of vulnerability is it? Who is impacted?
The PGJDBC implementation of the
java.sql.ResultRow.refreshRow()
method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g.;
, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user.User applications that do not invoke the
ResultSet.refreshRow()
method are not impacted.User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the
refreshRow()
method on the ResultSet.For example:
This example has a table with two columns. The name of the second column is crafted to contain a statement terminator followed by additional SQL. Invoking the
ResultSet.refreshRow()
on a ResultSet that queried this table, e.g.SELECT * FROM refresh_row
, would cause the additional SQL commands such as theSELECT pg_sleep(10)
invocation to be executed.As the multi statement command would contain multiple results, it would not be possible for the attacker to get data directly out of this approach as the
ResultSet.refreshRow()
method would throw an exception. However, the attacker could execute any arbitrary SQL including inserting the data into another table that could then be read or any other DML / DDL statement.Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user.
Patches
Has the problem been patched? What versions should users upgrade to?
Yes, versions 42.2.26, 42.3.7, and 42.4.1 have been released with a fix.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Check that you are not using the
ResultSet.refreshRow()
method.If you are, ensure that the code that executes that method does not connect to a database that is controlled by an unauthenticated or malicious user. If your application only connects to its own database with a fixed schema with no DDL permissions, then you will not be affected by this vulnerability as it requires a maliciously crafted schema.
CVE-2024-1597
Impact
SQL injection is possible when using the non-default connection property
preferQueryMode=simple
in combination with application code that has a vulnerable SQL that negates a parameter value.There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.
Exploitation
To exploit this behavior the following conditions must be met:
-
)The prior behavior of the driver when operating in simple query mode would inline the negative value of the first parameter and cause the resulting line to be treated as a
--
SQL comment. That would extend to the beginning of the next parameter and cause the quoting of that parameter to be consumed by the comment line. If that string parameter includes a newline, the resulting text would appear unescaped in the resulting SQL.When operating in the default extended query mode this would not be an issue as the parameter values are sent separately to the server. Only in simple query mode the parameter values are inlined into the executed SQL causing this issue.
Example
The resulting SQL when operating in simple query mode would be:
The contents of the second parameter get injected into the command. Note how both the number of result columns and the WHERE clause of the command have changed. A more elaborate example could execute arbitrary other SQL commands.
Patch
Problem will be patched upgrade to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, 42.2.28.jre7
The patch fixes the inlining of parameters by forcing them all to be serialized as wrapped literals. The SQL in the prior example would be transformed into:
Workarounds
Do not use the connection property
preferQueryMode=simple
. (NOTE: If you do not explicitly specify a query mode then you are using the default ofextended
and are not impacted by this issue.)Release Notes
pgjdbc/pgjdbc (org.postgresql:postgresql)
v42.2.24
Fixed
Avoid leaking server error details through BatchUpdateException when logServerErrorDetail PR #2254
QueryExecutorImpl.receiveFastpathResult did not properly handle ParameterStatus messages.
This in turn caused failures for some LargeObjectManager operations. Closes Issue #2237
Fixed by adding the missing code path, based on the existing handling in processResults. PR #2253
It is possible to break method PgDatabaseMetaData.getIndexInfo() by adding certain custom operators. This PR fixes it.
use older syntax for COMMENT ON FUNCTION with explicit no-arg parameter parentheses as it is required on server versions before v10.
Handle cleanup of connection creation in StatementTest, handle cleanup of privileged connection in DatabaseMetaDataTest
fixes issues introduced in PR #2199 closes Issue #2196
v42.2.23
Changed
Fixed
This does not have the issue of name shadowing / qual-names, and has the added benefit of fixing #1948.
v42.2.22
Fixed
due to the blocking nature of the driver and issues with seeing if there is a byte available on a blocking stream when it is encrypted
this introduces unacceptable delays in returning from peek(). At this time there is no simple solution to this.
v42.2.21
Changed
Fixed
fixes Issue 2173
v42.2.20
Fixed
The usage of
setQueryTimeout();
with the same value as thesetNetworkTimeout();
is blocking the current transaction timeout.The timeouts are blocking each other with this approach.
v42.2.19
Notable Changes
Changed
There is a small behaviour change here as a result. If closeOnCompletion is called on an existing statement and the statement
is executed a second time it will fail.
Added
Fixed
v42.2.18
Fixed
fixed in #1920
v42.2.17
Changed
Added
Fixed
v42.2.16
Known issues
Fixed
Since 42.2.0 single dimensional arrays were stored 0 based. They are now sent 1 based which is the SQL standard, and the default
for Postgres when sent as strings such as '{1,2,3}'. Fixes issue 1860 in PR 1863.
v42.2.15
Known issues
Changed
postgresql-$version-jdbc-src.tar.gz
, and add top-level archive folder ba017507are possible. Now the driver will attempt to connect to the server with a GSSAPI encrypted connection. If that fails then
attempt an SSL connection, finally falling back to a plain text connection. All of this is controlled using both the gssEncMode
and sslMode parameters which, in concert with pg_hba.conf, determine if a particular mode is allowed and or required. PR 1821 ad921b9e
Added
Fixed
v42.2.14
Changed
v42.2.13
Notable Changes
Reported by David Dworken, this is an XXE and more information can be found here.
Sehrope Sarkuni reworked the XML parsing to provide a solution in commit 14b62aca4.
Changed
Added
Fixed
procedures fixed in PR 1774
v42.2.12
Notable changes
We have released 42.2.12 to correct regressions in this version: Specifically
We recommend that version 42.2.11 not be used.
Changed
This change introduced a breaking change which will be moved to 42.3.0
v42.2.11
Notable changes
As mentioned above this version is broken and should not be used.
Changed
DatabaseMetaData#getProcedures
returns only procedures (not functions) for PostgreSQL 11+ PR 1723commit
orxa.prepare
command PR 1729Added
raiseExceptionOnSilentRollback
connection option to configure if silent rollback should raise an exception PR 1729ByteStreamWriter
in CopyManager PR 1702Fixed
.
as decimal separator in PGInterval PR 1705Changed
Added
docker
folder)v42.2.10
Changed
Added
Fixed
v42.2.9
Changed
Added
Fixed
v42.2.8
Changed
Added
Fixed
v42.2.7
Changed
Added
Fixed
v42.2.6
Known issues
Changed
Added
to allow a consistent snapshot in some uses cases. PR 1335
Fixed
v42.2.5
Known issues
Changed
ssl=true
impliessslmode=verify-full
, that is it requires valid server certificate cdeeaca4targetServerType=master has been deprecated in favour of targetServerType=primary. master
will still be accepted but not documented.
Added
sslmode=allow/prefer/require
cdeeaca4Fixed
sslmode=verify-full
(CVE-2018-10936) cdeeaca4v42.2.4
Changed
argument if it is not null PR 1160
Fixed
v42.2.3
Known issues
Changed
thrown to caller to be dealt with so no need to log at this verbosity by pgjdbc PR 1187
Fixed
v42.2.2
Fixed
Avoid leaking server error details through BatchUpdateException when logServerErrorDetail PR #2254
QueryExecutorImpl.receiveFastpathResult did not properly handle ParameterStatus messages.
This in turn caused failures for some LargeObjectManager operations. Closes Issue #2237
Fixed by adding the missing code path, based on the existing handling in processResults. PR #2253
It is possible to break method PgDatabaseMetaData.getIndexInfo() by adding certain custom operators. This PR fixes it.
use older syntax for COMMENT ON FUNCTION with explicit no-arg parameter parentheses as it is required on server versions before v10.
Handle cleanup of connection creation in StatementTest, handle cleanup of privileged connection in DatabaseMetaDataTest
fixes issues introduced in PR #2199 closes Issue #2196
v42.2.1
Notable Changes
Changed
There is a small behaviour change here as a result. If closeOnCompletion is called on an existing statement and the statement
is executed a second time it will fail.
Added
Fixed
v42.2.0
Known issues
Added
Changed
Fixed
Removed
Deprecated
v42.1.4
Changed
v42.1.3
Fixed
v42.1.2
Changed
Fixed
Regressions
v42.1.1
Fixed
5881610
-07-11 instead of infinity. 1e5bf563v42.1.0
Added
Fixed
Regressions
v42.0.0
Added
Changed
Removed
Deprecated
Regressions
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.