Navigation :

PostgreSQL JDBC Driver 42.4.1 Released

Security

  • fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
    • Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands.
    • Also adds a new test class ResultSetRefreshTest to verify this change.
    • Reported by Sho Kato

Changed

  • chore: skip publishing pgjdbc-osgi-test to Central
  • chore: bump Gradle to 7.5
  • test: update JUnit to 5.8.2

Added

  • chore: added Gradle Wrapper Validation for verifying gradle-wrapper.jar
  • chore: added “permissions: contents: read” for GitHub Actions to avoid unintentional modifications by the CI
  • chore: support building pgjdbc with Java 17

Commits by author

Dave Cramer (9):

  bump gradle to version 3 to fix compile errors with jdk17 [PR 2550](https://github.com/pgjdbc/pgjdbc/pull/2550)
  update the website content [PR 2578](https://github.com/pgjdbc/pgjdbc/pull/2578)

Sehrope Sarkuni (1):

Fix SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.

Vladimir Sitnikov (34):

bump system-stubs-jupiter to 2.0.1 to support Java 16+
update JUnit to 5.8.2
migrate DriverTest to JUnit5
bump Gradle to 7.5