Re: Security Release announcement versions 42.2.25 and 42.3.2 have been released

Hello TAKATSUKA,

Yes, of course. Thanks for the feedback.

Dave
Dave Cramer
www.postgres.rocks

On Thu, 3 Mar 2022 at 03:31, TAKATSUKA Haruka <harukat(at)sraoss(dot)co(dot)jp> wrote:

> Hello, Dave and pgJDBC Team
>
> Thank you for always maintaining the JDBC driver.
> I have a request about 42.2.25 version.
>
> We can download 42.2.25 jar files from the following URL now,
>
> https://jdbc.postgresql.org/download/postgresql-42.2.25.jre7.jar
> https://jdbc.postgresql.org/download/postgresql-42.2.25.jar
>
> but there doesn't exist in the download html page.
>
> https://jdbc.postgresql.org/download.html
>
> I would very appreciate if you say that these 42.2.25 jar files are
> official
> in this mailing list thread (or add links in the web page.)
> This may be helpful for those who are hesitant to use these jar files as
> is.
>
>
> with best regards,
> Takatsuka Haruka / SRA OSS, Inc.
>
>
> On Tue, 1 Feb 2022 15:53:28 -0500
> Dave Cramer <davecramer(at)gmail(dot)com> wrote:
>
> > Greetings,
> >
> > Due to the following :
> > Impact
> >
> > pgjdbc instantiates plugin instances based on class names provided via
> > authenticationPluginClassName, sslhostnameverifier, socketFactory,
> > sslfactory, sslpasswordcallback connection properties.
> >
> > However, the driver did not verify if the class implements the expected
> > interface before instantiating the class.
> >
> > We have released versions 42.2.25 and 42.3.2.
> >
> > The only change in 42.2.25 was to address the security vulnerability in
> > this commit Merge pull request from GHSA-v7wg-cpwc-24m4 ·
> > pgjdbc/pgjdbc(at)8a363a7 (github.com)
> > <
> https://github.com/pgjdbc/pgjdbc/commit/8a363a7c0989ef8a8f45bb055b4003f758ceabd5
> >
> >
> (snip)
>
>
>