Re: Security Release announcement versions 42.2.25 and 42.3.2 have been released

Hello,

I have updated the download page. Thanks again
Dave Cramer

On Thu, 3 Mar 2022 at 08:23, Dave Cramer <davecramer(at)postgres(dot)rocks> wrote:

> Hello TAKATSUKA,
>
> Yes, of course. Thanks for the feedback.
>
> Dave
> Dave Cramer
> www.postgres.rocks
>
>
> On Thu, 3 Mar 2022 at 03:31, TAKATSUKA Haruka <harukat(at)sraoss(dot)co(dot)jp>
> wrote:
>
>> Hello, Dave and pgJDBC Team
>>
>> Thank you for always maintaining the JDBC driver.
>> I have a request about 42.2.25 version.
>>
>> We can download 42.2.25 jar files from the following URL now,
>>
>> https://jdbc.postgresql.org/download/postgresql-42.2.25.jre7.jar
>> https://jdbc.postgresql.org/download/postgresql-42.2.25.jar
>>
>> but there doesn't exist in the download html page.
>>
>> https://jdbc.postgresql.org/download.html
>>
>> I would very appreciate if you say that these 42.2.25 jar files are
>> official
>> in this mailing list thread (or add links in the web page.)
>> This may be helpful for those who are hesitant to use these jar files as
>> is.
>>
>>
>> with best regards,
>> Takatsuka Haruka / SRA OSS, Inc.
>>
>>
>> On Tue, 1 Feb 2022 15:53:28 -0500
>> Dave Cramer <davecramer(at)gmail(dot)com> wrote:
>>
>> > Greetings,
>> >
>> > Due to the following :
>> > Impact
>> >
>> > pgjdbc instantiates plugin instances based on class names provided via
>> > authenticationPluginClassName, sslhostnameverifier, socketFactory,
>> > sslfactory, sslpasswordcallback connection properties.
>> >
>> > However, the driver did not verify if the class implements the expected
>> > interface before instantiating the class.
>> >
>> > We have released versions 42.2.25 and 42.3.2.
>> >
>> > The only change in 42.2.25 was to address the security vulnerability in
>> > this commit Merge pull request from GHSA-v7wg-cpwc-24m4 ·
>> > pgjdbc/pgjdbc(at)8a363a7 (github.com)
>> > <
>> https://github.com/pgjdbc/pgjdbc/commit/8a363a7c0989ef8a8f45bb055b4003f758ceabd5
>> >
>> >
>> (snip)
>>
>>
>>