PostgreSQL JDBC 42.2.5 Released (Security Fix CVE-2018-10936)

Posted on 2018-08-27 by JDBC Project

A potential security issue (CVE-2018-10936) has been addressed. It was theoretically possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. During the process of investigating this a number of changes have been made.

ssl=true now means verify-full. This is a diversion from libpq which defaults to no validation or verification. With ssl=true or verify-full the driver will verify the ssl certificate and validate that the host is the host named in the certificate.

The driver now also supports allow and prefer, see https://jdbc.postgresql.org/documentation/head/ssl-client.html for details.

Related Open Source Security