Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request from GHSA-562r-vg33-8x8h
* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system * Update site with change logs and new version information
- Loading branch information
1 parent
135be5a
commit 9008dc9
Showing
7 changed files
with
111 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
--- | ||
title: PostgreSQL JDBC Driver 42.5.1 Released | ||
date: 2022-11-21 15:21:47 -0500 | ||
categories: | ||
- new_release | ||
version: 42.5.1 | ||
--- | ||
**Notable changes** | ||
|
||
### Security | ||
- security: StreamWrapper spills to disk if setText, or setBytea sends very large Strings or arrays to the server. createTempFile creates a file which can be read by other users on unix like systems (Not macos).\ | ||
This has been fixed in this version fixes CVE-2022-41946 see the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h) for more details.\ | ||
Reported by [Jonathan Leitschuh](https://github.com/JLLeitschuh)\ | ||
This has been fixed in versions 42.5.1, 42.4.3 42.3.8, 42.2.27.jre7.\ | ||
**Note** there is no fix for 42.2.26.jre6. See the security advisory for work arounds. | ||
|
||
### Fixed | ||
|
||
- fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes [#Issue 2548](https://github.com/pgjdbc/pgjdbc/issues/2548) [PR #2552](https://github.com/pgjdbc/pgjdbc/issues/2552) | ||
- fix: binary decoding of bool values [PR #2640](https://github.com/pgjdbc/pgjdbc/pull/2640) | ||
- perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns [PR #2634](https://github.com/pgjdbc/pgjdbc/pull/2634) | ||
- chore: fix various spelling errors [PR #2592](https://github.com/pgjdbc/pgjdbc/pull/2592) | ||
- chore: Feature/urlparser improve URLParser [PR #2641](https://github.com/pgjdbc/pgjdbc/pull/2592) | ||
|
||
|
||
<!--more--> | ||
|
||
**Commits by author** | ||
|
||
Dave Cramer (13): | ||
Update README.md [PR 2609](https://github.com/pgjdbc/pgjdbc/pull/2609)\ | ||
Ignore simplequery for postgresql 8.4 [PR 2614](https://github.com/pgjdbc/pgjdbc/pull/2614)\ | ||
Single commit to move newdocs into master [PR 2618](https://github.com/pgjdbc/pgjdbc/pull/2618)\ | ||
update versions [PR 2619](https://github.com/pgjdbc/pgjdbc/pull/2619)\ | ||
fix grammar, fix downloads, minor edits [PR 2626](https://github.com/pgjdbc/pgjdbc/pull/2626)\ | ||
fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes #Issue 2548 [PR 2552](https://github.com/pgjdbc/pgjdbc/pull/2552)\ | ||
clarify prepared statement usage [PR 2629](https://github.com/pgjdbc/pgjdbc/pull/2629)\ | ||
fix maven coordinates [PR 2631](https://github.com/pgjdbc/pgjdbc/pull/2631)\ | ||
remove javadoc links for java 17 and above [PR 2637](https://github.com/pgjdbc/pgjdbc/pull/2637)\ | ||
revert change to PGProperty.get() to keep the API the same [PR 2644](https://github.com/pgjdbc/pgjdbc/pull/2644)\ | ||
exclude ArrayTest versions less than 9.1 [PR 2645](https://github.com/pgjdbc/pgjdbc/pull/2645)\ | ||
|
||
Evgeniy Devyatykh (1): | ||
perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns [PR 2634](https://github.com/pgjdbc/pgjdbc/pull/2634) | ||
|
||
Josh Soref (1): | ||
chore: fix various spelling errors [PR 2592](https://github.com/pgjdbc/pgjdbc/pull/2592) | ||
|
||
Kevin222004 (1): | ||
|
||
Knut Olav Løite (1): | ||
fix: binary decoding of bool values [PR 2640](https://github.com/pgjdbc/pgjdbc/pull/2640) | ||
|
||
Marek Läll (1): | ||
Feature/urlparser improve3 pr1 [PR 2641](https://github.com/pgjdbc/pgjdbc/pull/2641) | ||
|
||
Vladimir Sitnikov (4): | ||
docs: clarify we ship security fixes by default for the latest 42.x and 42.2 only [PR 2586](https://github.com/pgjdbc/pgjdbc/pull/2586) | ||
|
||
μtkarsh (1): | ||
Optimize png files [PR 2621](https://github.com/pgjdbc/pgjdbc/pull/2621) | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters