| From: | Dave Cramer <davecramer(at)gmail(dot)com> |
|---|---|
| To: | List <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | pgjdbc 42.2.5 released to address potential security issue |
| Date: | 2018-08-28 17:47:56 |
| Message-ID: | CADK3HHLFw9jaRqzPxvsfOWMJK65aZE7m2TZuWRFNQjunoh_BGA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
A potential security issue ([CVE-2018-10936](
https://access.redhat.com/security/cve/CVE-2018-10936)) has been addressed.
It was theoretically possible to provide an SSL Factory and not check the
host name if a host name verifier was not provided to the driver.
During the process of investigating this a number of changes have been made.
`ssl=true` now means `verify-full`. This is a diversion from libpq which
defaults to no validation or verification. With `ssl=true` or `verify-full`
the driver will verify the ssl certificate and validate that the host is
the host named in the certificate.
The driver now also supports allow and prefer, see [
https://jdbc.postgresql.org/documentation/head/ssl-client.html](ssl-client)
for details.
Regards,
Dave Cramer
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Cramer | 2018-08-29 15:51:03 | [pgjdbc/pgjdbc] f26615: Update README.md |
| Previous Message | Vladimir Sitnikov | 2018-08-27 16:27:19 | [pgjdbc/pgjdbc] d43398: docs: reflect 42.2.5 release in readme.md |