Skip to content

fix(deps): update dependency org.postgresql:postgresql to v42.7.7 [security] #304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency org.postgresql:postgresql to v42.7.7 [security] #304

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 11, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.postgresql:postgresql (source) 42.7.5 -> 42.7.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-49146

Impact

When the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements.

Patches

TBD

Workarounds

Configure sslMode=verify-full to prevent MITM attacks.

References

Release Notes

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.7.7

Security
  • security: Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.
    Fix channel binding required handling to reject non-SASL authentication
    Previously, when channel binding was set to "require", the driver would silently ignore this
    requirement for non-SASL authentication methods. This could lead to a false sense of security
    when channel binding was explicitly requested but not actually enforced. The fix ensures that when
    channel binding is set to "require", the driver will reject connections that use
    non-SASL authentication methods or when SASL authentication has not completed properly.
    See the Security Advisory for more detail. Reported by George MacKerron
    The following CVE-2025-49146 has been issued
Added
  • test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings

v42.7.6

Features
  • fix: Enhanced DatabaseMetadata.getIndexInfo() method, added index comment as REMARKS property PR #​3513
Performance Improvements
  • performance: Improve ResultSetMetadata.fetchFieldMetaData by using IN row values instead of UNION ALL for improved query performance (later reverted) PR #​3510
  • feat:Use a single simple query for all startup parameters, so groupStartupParameters is no longer needed PR #​3613

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants