PostgreSQL JDBC 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 Security update for CVE-2022-41946

Posted on 2022-11-23 by JDBC Project
Related Open Source Security

The PostgreSQL JDBC team have released 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 to address a security issue: CVE-2022-41946. (Note there is no fix for 42.2.26.jre6 see the advisory for workarounds) This is only an issue if you are using PreparedStatement.setText() or PreparedStatement.setBytea() where the String or bytea argument is larger than 51200 bytes. At which point the driver will buffer to disk. To do this it creates a temporary file which in previous versions could be read by other users on the client system. Note this only effects unix like systems. See the security advisory for the details. Thanks to Jonathan Leitschuh for finding and reporting the issue.