PostgreSQL JDBC 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 Security update for CVE-2024-1597

Поиск
Список
Период
Сортировка
От JDBC Project via PostgreSQL Announce
Тема PostgreSQL JDBC 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 Security update for CVE-2024-1597
Дата
Msg-id 170854445761.644.17638905410252627290@wrigleys.postgresql.org
обсуждение исходный текст
Список pgsql-announce
Дерево обсуждения
 

PostgreSQL JDBC 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 Security update for CVE-2024-1597

The PostgreSQL JDBC team have released 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, and 42.2.28.jre7 to address a security issue: CVE-2024-1597. (Note there is no fix for 42.2.26.jre6 see the advisory for workarounds)

SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.

There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.

See the security advisory for the details. Thanks to Paul Gerste for finding and reporting the issue.

This email was sent to you from JDBC Project. It was delivered on their behalf by the PostgreSQL project. Any questions about the content of the message should be sent to JDBC Project.

You were sent this email as a subscriber of the pgsql-announce mailinglist, for for one of the content tags Related Open Source or Security. To unsubscribe from further emails, or change which emails you want to receive, please click the personal unsubscribe link that you can find in the headers of this email, or visit https://lists.postgresql.org/unsubscribe/.
 

В списке pgsql-announce по дате отправления:

Предыдущее
От: HexaCluster via PostgreSQL Announce
Дата:
Сообщение: pg_dumpbinary v2.15 released
Следующее
От: pgagroal via PostgreSQL Announce
Дата:
Сообщение: pgagroal 1.6