PostgreSQL JDBC 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 Security update for CVE-2022-41946

From: JDBC Project via PostgreSQL Announce <announce-noreply(at)postgresql(dot)org>
To: PostgreSQL Announce <pgsql-announce(at)lists(dot)postgresql(dot)org>
Subject: PostgreSQL JDBC 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 Security update for CVE-2022-41946
Date: 2022-11-23 17:26:16
Message-ID: 166922437667.1896.12613448576418013558@wrigleys.postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-announce

The PostgreSQL JDBC team have released 42.5.1, 42.4.3, 42.3.8, 42.2.27.jre7 to address a security issue: CVE-2022-41946. (Note there is no fix for 42.2.26.jre6 see the advisory for workarounds)
This is only an issue if you are using PreparedStatement.setText() or PreparedStatement.setBytea() where the String or bytea argument is larger than 51200 bytes. At which point the driver will buffer to disk. To do this it creates a temporary file which in previous versions could be read by other users on the client system. Note this only effects unix like systems. See the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h) for the details.
Thanks to [Jonathan Leitschuh](https://github.com/JLLeitschuh) for finding and reporting the issue.

Browse pgsql-announce by date

  From Date Subject
Next Message Microsoft Azure via PostgreSQL Announce 2022-11-26 19:27:24 Call for Proposals is open for Citus Con: An Event for Postgres 2023!
Previous Message Datasentinel via PostgreSQL Announce 2022-11-21 16:09:46 Datasentinel version 2022.11 released