PL/Java 1.5.0-BETA1 announced; security note.

Posted on 2016-02-04 by PL/Java Project

PL/Java brings functions, triggers, and types in Java. 1.5.0, now in beta, supports latest PostgreSQL and Java versions with a range of improvements and fixes.

Project site: http://tada.github.io/pljava/
Release notes: http://tada.github.io/pljava/releasenotes.html

Security note:

1.5.0 brings a policy change to a more secure-by-default posture, where the ability to create functions in `LANGUAGE java' is no longer automatically granted to 'public', but can be selectively granted to roles that will have that responsibility. The change reduces exposure to a known issue present in 1.5.0 and earlier versions, that will be closed in a future release; details are in the release notes.

The new policy will be applied in a new installation; permissions will not be changed in an upgrade, but any site can move to this policy, even before updating to 1.5.0, with REVOKE USAGE ON LANGUAGE java FROM public; followed by explicit GRANT commands for the users/roles expected to create Java functions. Many sites guided by the principle of least privilege may have chosen such a policy already.

MS Windows note:

1.5.0 development snapshots have been repeatedly tested on Windows building with Visual Studio (including the Express and Community editions), and the build documentation covers this combination. Beta testers should find it straightforward.

Resources have not been available to test MinGW-based builds. Beta testers using this combination are encouraged to report build issues they may encounter. (Patches, where possible, would be appreciated also. A likely place to look in case of issues would be the comments above PLJAVADLLEXPORT in Backend.c.)

Many thanks to all the individuals and organizations listed in the release notes under Credits.