Security Release announcement versions 42.2.25 and 42.3.2 have been released

Greetings,

Due to the following :
Impact

pgjdbc instantiates plugin instances based on class names provided via
authenticationPluginClassName, sslhostnameverifier, socketFactory,
sslfactory, sslpasswordcallback connection properties.

However, the driver did not verify if the class implements the expected
interface before instantiating the class.

We have released versions 42.2.25 and 42.3.2.

The only change in 42.2.25 was to address the security vulnerability in
this commit Merge pull request from GHSA-v7wg-cpwc-24m4 ·
pgjdbc/pgjdbc(at)8a363a7 (github.com)
<https://github.com/pgjdbc/pgjdbc/commit/8a363a7c0989ef8a8f45bb055b4003f758ceabd5>

42.3.2 has the above changes as well the following
Security

- CVE-2022-21724 pgjdbc instantiates plugin instances based on class
names provided via authenticationPluginClassName, sslhostnameverifier,
socketFactory, sslfactory, sslpasswordcallback connection properties.
However, the driver did not verify if the class implements the expected
interface before instantiating the class. This would allow a malicious
class to be instantiated that could execute arbitrary code from the JVM.
Fixed in commit
<https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813>

<https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md#changed-1>Changed

- perf: read in_hot_standby GUC on connection PR #2334
<https://github.com/pgjdbc/pgjdbc/pull/2334>
- test: materialized view privileges PR #2209
<https://github.com/pgjdbc/pgjdbc/pull/2209> fixes Issue #2060
<https://github.com/pgjdbc/pgjdbc/issues/2060>
- docs: add info about convenience maven project PR #2407
<https://github.com/pgjdbc/pgjdbc/pull/2407>
- docs: Document timezone reversal from POSIX to ISO PR #2413
<https://github.com/pgjdbc/pgjdbc/pull/2413>
- fix: we will ask the server if it supports GSS Encryption if
gssEncryption is prefer or require PR #2396
<https://github.com/pgjdbc/pgjdbc/pull/2396> remove the need to have a
ticket in the cache before asking the server if gss encryptions are
supported
- docs: remove Java 6 and 7 references from contributing PR #2385
<https://github.com/pgjdbc/pgjdbc/pull/2385>
- style: remove Java 8 / JDBC 4.2 checks PR #2383
<https://github.com/pgjdbc/pgjdbc/pull/2383> Remove all remaining checks
whether the source is lower than Java 8 or JDBC 4.2.
- fix: throw SQLException for #getBoolean BIT(>1) PR #2386
<https://github.com/pgjdbc/pgjdbc/pull/2386> Throw SQLException instead
of ClassCastException when calling CallableStatement#getBoolean(int) on
BIT(>1).
- style: import java.time types in more classes PR #2382
<https://github.com/pgjdbc/pgjdbc/pull/2382> Use imports for java.time
types in all remaining classes.
- style: import java.time types in TimestampUtils PR #2380
<https://github.com/pgjdbc/pgjdbc/pull/2380> Use imports for java.time
types in TimestampUtils.
- refactor: Change internal constructors to pass only connection
Properties Changes internal constructors for PgConnection and related
classes to only accept the connection properties object and remove the user
and password arguments. Any locations that required those fields can
retrieve them from the properties map.
- test: Fix DatabaseMetadataTest to perform mview tests only on 9.3+
- perf: read in_hot_standby GUC on connection PR #2334
<https://github.com/pgjdbc/pgjdbc/pull/2334>
- doc: improv doc around binary decoding of numeric data #2331
<https://github.com/pgjdbc/pgjdbc/pull/2331>
- Add cert key type checking to chooseClientAlias PR #2417
<https://github.com/pgjdbc/pgjdbc/pull/2417>

<https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md#added-1>Added

- feat: Add authenticationPluginClassName option to provide passwords at
runtime Adds authenticationPluginClassName connection property that allows
end users to specify a class that will provide the connection passwords at
runtime. Users implementing that interface must ensure that each invocation
of the method provides a new char[] array as the contents will be filled
with zeroes by the driver after use.Call sites within the driver have been
updated to use the char[] directly wherever possible. This includes direct
usage in the GSS authentication code paths that internally were already
converting the String password into a char[] for internal usage. This
allows configuring a connection with a password that must be generated on
the fly or periodically changes. PR #2369
<https://github.com/pgjdbc/pgjdbc/pull/2369> original issue Issue #2102
<https://github.com/pgjdbc/pgjdbc/issues/2102>
- feat: add tcpNoDelay option PR #2341
<https://github.com/pgjdbc/pgjdbc/pull/2341> fixes Issue #2324
<https://github.com/pgjdbc/pgjdbc/issues/2324>
- feat: pg_service.conf and .pgpass support
(jdbc:postgresql://?service=my-service) PR #2260
<https://github.com/pgjdbc/pgjdbc/pull/2260> fixes Issue #2278
<https://github.com/pgjdbc/pgjdbc/issues/2278>

<https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md#fixed-1>Fixed

<https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md#4231-2021-10-29>
<https://github.com/pgjdbc/pgjdbc/compare/REL42.3.0...REL42.3.1>

- Use local TimestampUtil in PgStatement and PgResultset for thread
safety PR #2291 <https://github.com/pgjdbc/pgjdbc/pull/2291> fixes Issue
#921 <https://github.com/pgjdbc/pgjdbc/issues/921> synchronize
modification of shared calendar
- fix: PgObject isNull() was reporting the opposite fixes Issue #2411
<https://github.com/pgjdbc/pgjdbc/issues/2411> PR #2414
<https://github.com/pgjdbc/pgjdbc/pull/2414>
- fix: default file name is ".pg_service.conf" on Windows (not
"pg_service.conf") PR #2398 <https://github.com/pgjdbc/pgjdbc/pull/2398>
fixes Issue #2278 <https://github.com/pgjdbc/pgjdbc/issues/2278>
- test: Fix RefCursorFetchTest on older platforms
- fix: do not close refcursor after reading if fetchsize has been set
fixes Issue #2227 <https://github.com/pgjdbc/pgjdbc/issues/2227> PR #2371
<https://github.com/pgjdbc/pgjdbc/pull/2371>
- fix: rework gss authentication to use the principal name to get the
credentials fixes Issue #2235
<https://github.com/pgjdbc/pgjdbc/issues/2235> PR #2352
<https://github.com/pgjdbc/pgjdbc/pull/2352>
- fix: return getIndexInfo metadata columns in UPPER CASE PR #2368
<https://github.com/pgjdbc/pgjdbc/pull/2368>
- fix: Connection leak in ConnectionFactoryImpl#tryConnect PR #2350
<https://github.com/pgjdbc/pgjdbc/pull/2350> Issue #2351
<https://github.com/pgjdbc/pgjdbc/issues/2351>
- fix: Fix For IS_AUTOGENERATED Flag PR #2348
<https://github.com/pgjdbc/pgjdbc/pull/2348>
- fix: parsing service file tests for windows PR #2347
<https://github.com/pgjdbc/pgjdbc/pull/2347>
- fix: The spec says that calling close() on a closed connection is a
noop. PR #2345 <https://github.com/pgjdbc/pgjdbc/pull/2345> fixes Issue
#2300 <https://github.com/pgjdbc/pgjdbc/issues/2300>
- fix: add microsecond precision to getTimestamp() called on sql TIME(6)
Currently, "when fetching a value of type TIME(6) through
resultSet.getTimestamp() only ms precision is retained, the microsecond
fractional digits are lost." This change will retain the microsecond
precision when .getTimestamp() is called on TIME(6). PR #2181
<https://github.com/pgjdbc/pgjdbc/pull/2181> Closes Issue #1537
<https://github.com/pgjdbc/pgjdbc/issues/1537>
- test: materialized view privileges PR #2209
<https://github.com/pgjdbc/pgjdbc/pull/2209> add and drop a materialized
view Add to TestUtil and also to DatabaseMetaData setup and teardown fixes
Issue #2060 <https://github.com/pgjdbc/pgjdbc/issues/2060>
- fix: typo in connect.md PR #2338
<https://github.com/pgjdbc/pgjdbc/pull/2238> OutOfMemoryException =>
OutOfMemoryError
- fix: use local TimestampUtil in PgStatement and PgResultset for thread
safety TimestampUtil is not thread safe. It raises exceptions when multiple
threads use ResultSets of one connection. PR #2291
<https://github.com/pgjdbc/pgjdbc/pull/2291> fixes Issue #921
<https://github.com/pgjdbc/pgjdbc/issues/921> If PgStatement and
PgResultSet use their own TimestampUtil no synchronize is needed.
- fix: typo in CONTRIBUTING.md PR #2332
<https://github.com/pgjdbc/pgjdbc/pull/2332> seccion => section

Thanks to everyone who contributed

Dave Cramer