Re: Security Release announcement versions 42.2.25 and 42.3.2 have been released

Hello TAKATSUKA,

Yes, of course. Thanks for the feedback.

Dave

Dave Cramer

www.postgres.rocks

On Thu, 3 Mar 2022 at 03:31, TAKATSUKA Haruka <harukat@sraoss.co.jp> wrote:

Hello, Dave and pgJDBC Team

Thank you for always maintaining the JDBC driver.
I have a request about 42.2.25 version.

We can download 42.2.25 jar files from the following URL now,

 https://jdbc.postgresql.org/download/postgresql-42.2.25.jre7.jar
 https://jdbc.postgresql.org/download/postgresql-42.2.25.jar

but there doesn't exist in the download html page.

 https://jdbc.postgresql.org/download.html

I would very appreciate if you say that these 42.2.25 jar files are official
in this mailing list thread (or add links in the web page.)
This may be helpful for those who are hesitant to use these jar files as is.


with best regards,
Takatsuka Haruka / SRA OSS, Inc.


On Tue, 1 Feb 2022 15:53:28 -0500
Dave Cramer <davecramer@gmail.com> wrote:

> Greetings,
>
> Due to the following :
> Impact
>
> pgjdbc instantiates plugin instances based on class names provided via
> authenticationPluginClassName, sslhostnameverifier, socketFactory,
> sslfactory, sslpasswordcallback connection properties.
>
> However, the driver did not verify if the class implements the expected
> interface before instantiating the class.
>
> We have released versions 42.2.25 and 42.3.2.
>
> The only change in 42.2.25 was to address the security vulnerability in
> this commit Merge pull request from GHSA-v7wg-cpwc-24m4 ·
> pgjdbc/pgjdbc@8a363a7 (github.com)
> <https://github.com/pgjdbc/pgjdbc/commit/8a363a7c0989ef8a8f45bb055b4003f758ceabd5>
>
(snip)