PostgreSQL JDBC 42.2.5 Released (Security Fix CVE-2018-10936)

Posted on 2018-08-27 by JDBC Project
Related Open Source Security

A potential security issue (CVE-2018-10936) has been addressed. It was theoretically possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. During the process of investigating this a number of changes have been made.

ssl=true now means verify-full. This is a diversion from libpq which defaults to no validation or verification. With ssl=true or verify-full the driver will verify the ssl certificate and validate that the host is the host named in the certificate.

The driver now also supports allow and prefer, see for details.