[prev in list] [next in list] [prev in thread] [next in thread]
List: postgresql-announce
Subject: PostgreSQL JDBC 42.3.3 Released
From: JDBC Project via PostgreSQL Announce <announce-noreply () postgresql ! org>
Date: 2022-02-17 11:44:47
Message-ID: 164509828721.681.3705749846813252999 () wrigleys ! postgresql ! org
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
A [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8) \
has been created for the PostgreSQL JDBC Driver. The URL connection string \
loggerFile property could be mis-used to create an arbitrary file on the system that \
the driver is loaded. Additionally anything in the connection string will be logged \
and subsequently written into that file. In an insecure system it would be possible \
to execute this file through a webserver.
While we do not consider this a security issue with the driver, we have decided to \
remove the loggerFile and loggerLevel connection properties in the next release of \
the driver. Removal of those properties does not make exposing the JDBC URL or \
connection properties to an attacker safe and we continue to suggest that \
applications do not allow untrusted users to specify arbitrary connection properties. \
We are removing them to prevent misuse and their functionality can be delegated to \
java.util.logging. The changelog is not very useful as the change was done behind a \
security advisory. The short version is that loggerFile and loggerLevel properties \
still exist but do not do anything.
The PostgreSQL JDBC team would like to thank all that have participated in this \
release!
The JDBC Team
[Attachment #5 (text/html)]
<!doctype html>
<html>
<head>
<meta name="viewport" content="width=device-width">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>PostgreSQL JDBC 42.3.3 Released</title>
<style>
@media only screen and (max-width: 620px) {
table[class=body] h1 {
font-size: 28px !important;
margin-bottom: 10px !important;
}
table[class=body] p,
table[class=body] ul,
table[class=body] ol,
table[class=body] td,
table[class=body] span,
table[class=body] a {
font-size: 16px !important;
}
table[class=body] .wrapper,
table[class=body] .article {
padding: 10px !important;
}
table[class=body] .content {
padding: 0 !important;
}
table[class=body] .container {
padding: 0 !important;
width: 100% !important;
}
table[class=body] .main {
border-left-width: 0 !important;
border-radius: 0 !important;
border-right-width: 0 !important;
}
table[class=body] .btn table {
width: 100% !important;
}
table[class=body] .btn a {
width: 100% !important;
}
table[class=body] .img-responsive {
height: auto !important;
max-width: 100% !important;
width: auto !important;
}
}
@media all {
.ExternalClass {
width: 100%;
}
.ExternalClass,
.ExternalClass p,
.ExternalClass span,
.ExternalClass font,
.ExternalClass td,
.ExternalClass div {
line-height: 100%;
}
.apple-link a {
color: inherit !important;
font-family: inherit !important;
font-size: inherit !important;
font-weight: inherit !important;
line-height: inherit !important;
text-decoration: none !important;
}
#MessageViewBody a {
color: inherit;
text-decoration: none;
font-size: inherit;
font-family: inherit;
font-weight: inherit;
line-height: inherit;
}
.btn-primary table td:hover {
background-color: #34495e !important;
}
.btn-primary a:hover {
background-color: #34495e !important;
border-color: #34495e !important;
}
}
</style>
</head>
<body class="" style="background-color: #f6f6f6; font-family: sans-serif; \
-webkit-font-smoothing: antialiased; font-size: 14px; line-height: 1.4; margin: 0; \
padding: 0; -ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;"> <table \
border="0" cellpadding="0" cellspacing="0" class="body" style="border-collapse: \
separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; \
background-color: #f6f6f6;"> <tr>
<td style="font-family: sans-serif; font-size: 14px; vertical-align: \
top;"> </td> <td class="container" style="font-family: sans-serif; font-size: \
14px; vertical-align: top; display: block; Margin: 0 auto; max-width: 580px; padding: \
10px; width: 580px;">
<div class="content" style="box-sizing: border-box; display: block; Margin: \
0 auto; max-width: 580px; padding: 10px;">
<span class="preheader" style="color: transparent; display: none; height: \
0; max-height: 0; max-width: 0; opacity: 0; overflow: hidden; mso-hide: all; \
visibility: hidden; width: 0;"></span> <table class="main" style="border-collapse: \
separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; background: \
#ffffff; border-radius: 3px;">
<tr>
<td class="wrapper" style="font-family: sans-serif; font-size: 14px; \
vertical-align: top; box-sizing: border-box; padding: 20px;">
<table border="0" cellpadding="0" cellspacing="0" \
style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; \
width: 100%;"> <tr>
<td style="font-family: sans-serif; font-size: 14px; \
vertical-align: top;">
<div>
<h1 style="color: #000; font-family: sans-serif; line-height: 1.4; margin: 0; \
margin-bottom: 30px; font-size: 25px; font-weight: 300; text-align: \
center">PostgreSQL JDBC 42.3.3 Released</h1> </div>
<p style="font-family: sans-serif; font-size: 14px; font-weight: normal; margin: 0; \
margin-bottom: 15px">A <a \
href="https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8" \
style="color: #3498db; text-decoration: underline">security advisory</a> has been \
created for the PostgreSQL JDBC Driver. The URL connection string loggerFile \
property could be mis-used to create an arbitrary file on the system that the driver \
is loaded. Additionally anything in the connection string will be logged and \
subsequently written into that file. In an insecure system it would be possible to \
execute this file through a webserver.</p> <p style="font-family: sans-serif; \
font-size: 14px; font-weight: normal; margin: 0; margin-bottom: 15px">While we do not \
consider this a security issue with the driver, we have decided to remove the \
loggerFile and loggerLevel connection properties in the next release of the driver. \
Removal of those properties does not make exposing the JDBC URL or connection \
properties to an attacker safe and we continue to suggest that applications do not \
allow untrusted users to specify arbitrary connection properties. </p> <p \
style="font-family: sans-serif; font-size: 14px; font-weight: normal; margin: 0; \
margin-bottom: 15px">We are removing them to prevent misuse and their functionality \
can be delegated to java.util.logging. The changelog is not very useful as the change \
was done behind a security advisory. The short version is that loggerFile and \
loggerLevel properties still exist but do not do anything. </p> <p \
style="font-family: sans-serif; font-size: 14px; font-weight: normal; margin: 0; \
margin-bottom: 15px">The PostgreSQL JDBC team would like to thank all that have \
participated in this release!</p> <p style="font-family: sans-serif; font-size: 14px; \
font-weight: normal; margin: 0; margin-bottom: 15px">The JDBC Team</p>
</td>
</tr>
</table>
</td>
</tr>
</table>
<div class="footer" style="clear: both; Margin-top: 10px; text-align: \
center; width: 100%;">
<table border="0" cellpadding="0" cellspacing="0" \
style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; \
width: 100%;"> <tr>
<td class="content-block" style="font-family: sans-serif; \
vertical-align: top; padding-bottom: 10px; padding-top: 10px; font-size: 12px; color: \
#999999; text-align: center;">
<span class="apple-link" style="color: #999999; font-size: 12px; \
text-align: center;"> This email was sent to you from JDBC Project. It was delivered \
on their behalf by the PostgreSQL project. Any questions about the content of the \
message should be sent to JDBC Project.
</span>
<br><br>
You were sent this email as a subscriber of the <em>pgsql-announce</em> mailinglist, \
for for one of the content tags Related Open Source or Security.
To unsubscribe from
further emails, or change which emails you want to receive, please click the personal \
unsubscribe link that you can find in the headers of this email, or visit
<a href="https://lists.postgresql.org/unsubscribe/" style="color: #3498db; \
text-decoration: underline">https://lists.postgresql.org/unsubscribe/</a>.
</td>
</tr>
</table>
</div>
</div>
</td>
<td style="font-family: sans-serif; font-size: 14px; vertical-align: \
top;"> </td> </tr>
</table>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic