| From: | JDBC Project via PostgreSQL Announce <announce-noreply(at)postgresql(dot)org> |
|---|---|
| To: | PostgreSQL Announce <pgsql-announce(at)lists(dot)postgresql(dot)org> |
| Subject: | PostgreSQL JDBC versions 42.4.1/42.2.26 Security Update |
| Date: | 2022-08-15 13:21:53 |
| Message-ID: | 166056971352.655.12904366583007555449@wrigleys.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-announce |
The PostgreSQL JDBC team have released 42.2.26 and 42.4.1 to address a security issue: CVE-2022-31197. This is only an issue if you are using ResultSet.refreshRow()
Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands.
More information about this security advisory is available [here](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2)
Thanks to Sho Kato https://github.com/kato-sho for finding and reporting the issue
Regards,
pgjdbc team
| From | Date | Subject | |
|---|---|---|---|
| Next Message | CloudNativePG via PostgreSQL Announce | 2022-08-17 07:57:53 | CloudNativePG 1.16.1 and 1.15.3 Released! |
| Previous Message | PostgreSQL Global Development Group | 2022-08-11 13:14:43 | PostgreSQL 14.5, 13.8, 12.12, 11.17, 10.22, and 15 Beta 3 Released! |