PostgreSQL JDBC Driver 42.7.2 Released
Notable changes
Security
- security: SQL Injection via line comment generation, it is possible in
SimpleQuery
mode to generate a line comment by having a placeholder for a numeric with a-
such as-?
. There must be second placeholder for a string immediately after. Setting the parameter to a -ve value creates a line comment. This has been fixed in this version fixes CVE-2024-1597. Reported by Paul Gerste. See the security advisory for more details. This has been fixed in versions 42.7.2, 42.6.1 42.5.5, 42.4.4, 42.3.9, 42.2.28.jre7. See the security advisory for work arounds.
Changed
- fix: Use simple query for isValid. Using Extended query sends two messages checkConnectionQuery was never ever set or used, removed PR #3101
- perf: Avoid autoboxing bind indexes PR #1244
- refactor: Document that encodePassword will zero out the password array, and remove driver’s default encodePassword PR #3084
Added
- feat: Add PasswordUtil for encrypting passwords client side PR #3082
Commits by author
Vladimir Sitnikov (1): refactor: Document that encodePassword will zero out the password array, and remove driver’s default encodePassword PR #3084
Brett Okken (1): perf: Avoid autoboxing bind indexes PR #1244
Dave Cramer (1):
- fix: Apply connectTimeout before SSLSocket.startHandshake to avoid infinite wait in case the connection is broken PR #3040
Sehrope Sarkini (1):
- feat: Add PasswordUtil for encrypting passwords client side PR #3082