Update dependency org.postgresql:postgresql to v42.7.11 [SECURITY] #10
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/maven-org.postgresql-postgresql-vulnerability"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
42.2.18→42.7.11pgjdbc Does Not Check Class Instantiation when providing Plugin Classes
BIT-postgresql-jdbc-driver-2022-21724 / CVE-2022-21724 / GHSA-v7wg-cpwc-24m4
More information
Details
Impact
pgjdbc instantiates plugin instances based on class names provided via
authenticationPluginClassName,sslhostnameverifier,socketFactory,sslfactory,sslpasswordcallbackconnection properties.However, the driver did not verify if the class implements the expected interface before instantiating the class.
Here's an example attack using an out-of-the-box class from Spring Framework:
The first impacted version is REL9.4.1208 (it introduced
socketFactoryconnection property)Severity
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names
BIT-postgresql-jdbc-driver-2022-31197 / CVE-2022-31197 / GHSA-r38f-c4h4-hqq2
More information
Details
Impact
What kind of vulnerability is it? Who is impacted?
The PGJDBC implementation of the
java.sql.ResultRow.refreshRow()method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g.;, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user.User applications that do not invoke the
ResultSet.refreshRow()method are not impacted.User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the
refreshRow()method on the ResultSet.For example:
This example has a table with two columns. The name of the second column is crafted to contain a statement terminator followed by additional SQL. Invoking the
ResultSet.refreshRow()on a ResultSet that queried this table, e.g.SELECT * FROM refresh_row, would cause the additional SQL commands such as theSELECT pg_sleep(10)invocation to be executed.As the multi statement command would contain multiple results, it would not be possible for the attacker to get data directly out of this approach as the
ResultSet.refreshRow()method would throw an exception. However, the attacker could execute any arbitrary SQL including inserting the data into another table that could then be read or any other DML / DDL statement.Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user.
Patches
Has the problem been patched? What versions should users upgrade to?
Yes, versions 42.2.26, 42.3.7, and 42.4.1 have been released with a fix.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Check that you are not using the
ResultSet.refreshRow()method.If you are, ensure that the code that executes that method does not connect to a database that is controlled by an unauthenticated or malicious user. If your application only connects to its own database with a fixed schema with no DDL permissions, then you will not be affected by this vulnerability as it requires a maliciously crafted schema.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
TemporaryFolder on unix-like systems does not limit access to created files
BIT-postgresql-jdbc-driver-2022-41946 / CVE-2022-41946 / GHSA-562r-vg33-8x8h
More information
Details
Vulnerability
PreparedStatement.setText(int, InputStream)and
PreparedStatemet.setBytea(int, InputStream)will create a temporary file if the InputStream is larger than 51k
Example of vulnerable code:
This will create a temporary file which is readable by other users on Unix like systems, but not MacOS.
Impact
On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.
This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.
When analyzing the impact of this vulnerability, here are the important questions to ask:
Is the driver running in an environment where the OS has other untrusted users.
If yes, and you answered 'yes' to question 1, this vulnerability impacts you.
If no, this vulnerability does not impact you.
Patches
Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.
Java 1.8 and higher users: this vulnerability is fixed in 42.2.27, 42.3.8, 42.4.3, 42.5.1
Java 1.7 users: this vulnerability is fixed in 42.2.27.jre7
Java 1.6 and lower users: no patch is available; you must use the workaround below.
Workarounds
If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.
References
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Fix commit
9008dc9aadSimilar Vulnerabilities
Google Guava - https://github.com/google/guava/issues/4011
Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945
JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824
Severity
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
org.postgresql:postgresql vulnerable to SQL Injection via line comment generation
BIT-postgresql-jdbc-driver-2024-1597 / CVE-2024-1597 / GHSA-24rp-q3w6-vc56
More information
Details
Impact
SQL injection is possible when using the non-default connection property
preferQueryMode=simplein combination with application code that has a vulnerable SQL that negates a parameter value.There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.
Exploitation
To exploit this behavior the following conditions must be met:
-)The prior behavior of the driver when operating in simple query mode would inline the negative value of the first parameter and cause the resulting line to be treated as a
--SQL comment. That would extend to the beginning of the next parameter and cause the quoting of that parameter to be consumed by the comment line. If that string parameter includes a newline, the resulting text would appear unescaped in the resulting SQL.When operating in the default extended query mode this would not be an issue as the parameter values are sent separately to the server. Only in simple query mode the parameter values are inlined into the executed SQL causing this issue.
Example
The resulting SQL when operating in simple query mode would be:
The contents of the second parameter get injected into the command. Note how both the number of result columns and the WHERE clause of the command have changed. A more elaborate example could execute arbitrary other SQL commands.
Patch
Problem will be patched upgrade to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, 42.2.28.jre7
The patch fixes the inlining of parameters by forcing them all to be serialized as wrapped literals. The SQL in the prior example would be transformed into:
Workarounds
Do not use the connection property
preferQueryMode=simple. (NOTE: If you do not explicitly specify a query mode then you are using the default ofextendedand are not impacted by this issue.)Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
pgjdbc Arbitrary File Write Vulnerability
GHSA-673j-qm5f-xpv8
More information
Details
Overview
The connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control.
It's not the job of the pgjdbc driver to decide whether a given log file location is acceptable. End user applications that use the pgjdbc driver must ensure that filenames are valid and restrict unauthenticated attackers from being able to supply arbitrary values. That's not specific to the pgjdbc driver either, it would be true for any library that can write to the application's local file system.
While we do not consider this a security issue with the driver, we have decided to remove the loggerFile and loggerLevel connection properties in the next release of the driver. Removal of those properties does not make exposing the JDBC URL or connection properties to an attacker safe and we continue to suggest that applications do not allow untrusted users to specify arbitrary connection properties. We are removing them to prevent misuse and their functionality can be delegated to java.util.logging.
If you identify an application that allows remote users to specify a complete JDBC URL or properties without validating it's contents, we encourage you to notify the application owner as that may be a security defect in that specific application.
Impact
It is possible to specify an arbitrary filename in the loggerFileName connection parameter
"jdbc:postgresql://localhost:5432/test?user=test&password=test&loggerLevel=DEBUG&loggerFile=./blah.jsp&<%Runtime.getRuntime().exec(request.getParameter("i"));%>"
This creates a valid JSP file which could lead to a Remote Code Execution
Patches
LoggerFile implementation has been removed and will be ignored by the driver, fixed in 42.3.3
Workarounds
sanitize the inputs to the driver
Reported by Allan Lou v3ged0ge@gmail.com
Severity
Moderate
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Path traversal in org.postgresql:postgresql
BIT-postgresql-jdbc-driver-2022-26520 / CVE-2022-26520 / GHSA-727h-hrw8-jg8q
More information
Details
In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.
Severity
Low
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS
BIT-postgresql-jdbc-driver-2026-42198 / CVE-2026-42198 / GHSA-98qh-xjc8-98pq
More information
Details
Summary
pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication.
Impact
A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count.
With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail.
A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools.
In affected versions,
loginTimeoutdid not fully mitigate this problem. WhenloginTimeoutexpired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation.This issue affects availability. It does not provide authentication bypass, privilege escalation, or direct password disclosure.
A user is vulnerable when all of the following are true:
server-first-message.In practice, that can happen in these situations:
/etc/hosts, environment variables, or similar indirectionsslmodelower thanverify-full, or trusting a CA that signs hosts outside the operator's control)The issue is more damaging when the application uses connection retries, many parallel connection attempts, or
loginTimeoutand assumes the timeout fully stops the work.Patches
The patch introduces a new connection property,
scramMaxIterations, with a default of 100K. The client now rejects SCRAM server messages that advertise more PBKDF2 iterations than the configured cap before starting the PBKDF2 computation begins.Workarounds
Until a patched version of pgjdbc is deployed, the following measures reduce exposure:
Only connect to trusted PostgreSQL servers whose identity is verified.
Connect only to trusted PostgreSQL servers, and verify server identity with TLS using sslmode=verify-full and a trusted CA.
TLS without certificate and hostname verification is not sufficient as an active network attacker can still impersonate the server.
Do not rely on
loginTimeoutas a complete mitigation on unpatched versions.On affected versions,
loginTimeoutcan stop the waiting caller while the worker thread continues spending CPU.Avoid SCRAM on untrusted or interceptable connection paths.
For those paths, use an authentication method that does not let the server choose a SCRAM PBKDF2 iteration count.
Reduce blast radius operationally.
Limit parallel connection attempts, add retry backoff, isolate connection establishment in a separate worker or process when possible, and apply CPU or container limits where appropriate.
On trusted servers you control, keep SCRAM iteration counts at ordinary values.
This does not defend against an attacker-controlled server, but it avoids unnecessary client cost when talking to legitimate servers.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
pgjdbc/pgjdbc (org.postgresql:postgresql)
v42.7.11Security
pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins.
See the Security Advisory for more detail.
The following CVE-2026-42198 has been issued.
Added
Changed
Fixed
v42.7.10Changed
Fixed
Reverted
v42.7.9Added
Changed
Fixed
v42.7.8Added
Changed
BufferedInputStreamwithFileInputStreamPR #3750Fixed
v42.7.7Security
Fix
channel binding requiredhandling to reject non-SASL authenticationPreviously, when channel binding was set to "require", the driver would silently ignore this
requirement for non-SASL authentication methods. This could lead to a false sense of security
when channel binding was explicitly requested but not actually enforced. The fix ensures that when
channel binding is set to "require", the driver will reject connections that use
non-SASL authentication methods or when SASL authentication has not completed properly.
See the Security Advisory for more detail. Reported by George MacKerron
The following CVE-2025-49146 has been issued
Added
v42.7.6Features
Performance Improvements
v42.7.5Added
Fixed
fc60537PR #3476v42.7.4Added
Fixed
Deprecated
v42.7.3Changed
Fixed
else iftoswitchNoSuchMethodError on ByteBuffer#positionwhen running on Java 8v42.7.2Security
SimpleQuerymode to generate a line comment by having a placeholder for a numeric with a-such as
-?. There must be second placeholder for a string immediately after. Setting the parameter to a -ve value creates a line comment.This has been fixed in this version fixes CVE-2024-1597. Reported by Paul Gerste. See the security advisory for more details. This has been fixed in versions 42.7.2, 42.6.1 42.5.5, 42.4.4, 42.3.9, 42.2.28.jre7. See the security advisory for work arounds.
Changed
Added
v42.7.1Security
Added
reWriteBatchedInsertsnow merges up to 32768 rows into one multi-valuesINSERT(bounded by the 65535 bind-parameter limit on the extended protocol) instead of capping at 128, which speeds up batches of few-column rows. The newreWriteBatchedInsertsSizeconnection property lowers that cap when set; the default of0uses that maximum.autosave=ALWAYS. Controlled by the newflushCacheOnDdlconnection property (defaulttrue); set tofalsefor the prior behaviour.connectExecutorconnection property to customize theExecutorused to run the worker task that performs the connection attempt whenloginTimeoutis in effect. The value is the fully qualified name of a class implementingjava.util.concurrent.Executor. With a null value, the default, the driver retains the prior behavior of running the connection attempt on a daemon thread named"PostgreSQL JDBC driver connection thread". The executor must run the task on a thread other than the caller's. Running the attempt on a named thread lets applications that monitor driver-created threads identify it.connectThreadFactoryconnection property to customize theThreadFactoryused to spawn the worker thread that runs the connection attempt whenloginTimeoutis in effect. The value is the fully qualified name of a class implementingjava.util.concurrent.ThreadFactory. With a null value, the default, the driver retains the prior behavior of using a daemon thread named"PostgreSQL JDBC driver connection thread". Useful for testing timeout behaviour or for applications that want detailed control of all driver-created threads.classLoaderStrategyconnection property to control which classloaders the driver searches when loading a class named by a connection property, for examplesocketFactory. The defaultdriver-firstnow falls back to the thread context classloader when the driver's classloader cannot resolve the class, which fixes class loading in non-flat class paths such as Quarkus and OSGi. Setdriverto keep the previous driver-classloader-only behaviour, orcontext-firstto prefer the thread context classloader Issue #2112Changed
loginTimeoutis now aFutureTask(ConnectTask) instead of the hand-rolledConnectThread. When the caller hits the timeout, the task is now cancelled withcancel(true), which interrupts the worker thread rather than letting it run to completion. This makes the connection attempt interruptible, sologinTimeoutcan stop a slow connection attempt instead of leaking a thread. As before, a connection that the worker still manages to establish after the caller gives up is closed by the worker so that it does not leak. There are no public API changes and this should only lead to faster background resource cleanup for connections that time out.PGXAConnection.ConnectionHandlernow rejectssetAutoCommit(false)andsetSavepoint(...)during an active XA branch, in addition to the long-rejectedsetAutoCommit(true)/commit()/rollback(). ThesetSavepointrejection was already meant to be in place but the guard misspelled the method name assetSavePoint, so savepoints silently went through. Both changes bring the proxy in line with JTA 1.2 §3.4.commitPrepared/rollback-of-prepared now returnXAER_RMFAILinstead ofXAER_RMERRwhen the underlying connection is left in a non-idleTransactionState. Transaction managers (Geronimo, Narayana, Atomikos) treatXAER_RMFAILas retryable on a freshXAResource; the prepared transaction is no longer abandoned.Fixed
postgresql-<version>.jarand its detached PGP signature, taken from the same signed build that is uploaded to Maven Central, instead of a leftover SNAPSHOT jar Issue #3812 PR #3814Statement#cancelstate machine by dropping the redundantCANCELLEDstate.killTimerTasknow waits for the state to return toIDLEdirectly, which removes a spin-forever case when more than one thread observes the cancel completing PR #1827.BEGINand the following query to share a network flush Issue #3894reWriteBatchedInsertsno longer throwsIllegalArgumentExceptionwhen batching a parameterlessINSERT(for exampleINSERT INTO t VALUES (1, 2)) of 256 rows or more.CALLin aCallableStatementno longer hides the native call, so OUT parameter registration works for/* comment */ call proc(?, ?)and similar.Parser.modifyJdbcCallnow skips leading whitespace and SQL comments (both--and/* */) before the call, tolerates a trailing comment after a{ ... }escape, and no longer adds a spurious comma when moving an OUT parameter into a call whose arguments are only a comment Issue #2538PreparedStatement.toString()no longer throws for abyteavalue supplied as text viaPGobject. Hex-format values (\x...) are validated and rendered as abytealiteral, and escape-format values are quoted and cast like any other literal Issue #3757contextClassLoaderof sharedForkJoinPool.commonPool()worker threads, which previously left unrelated tasks on those threads running with anullclassloader Issue #4155PGXAConnectionno longer saves and restores the underlying connection's JDBCautoCommitflag. All XA-protocol SQL (BEGIN,PREPARE TRANSACTION,COMMIT,ROLLBACK,COMMIT PREPARED,ROLLBACK PREPARED, therecover()SELECT) is sent throughQUERY_SUPPRESS_BEGIN, so the caller'sautoCommitvalue is invariant across everyXAResourcecall. Fixes the "2nd phase commit must be issued using an idle connection" failure during recovery on managed datasources that pool connections withautoCommit=false(TomEE, WildFly, WebSphere Liberty).PGXAConnection.prepare()now mutates XA state only afterPREPARE TRANSACTIONsucceeds. A failedPREPAREpreviously left the driver thinking the branch was already prepared, so the follow-uprollback(xid)triedROLLBACK PREPAREDagainst a non-existent gid and returnedXAER_RMERR. Transaction managers (Narayana) escalated this toHeuristicMixedException. With the fix,rollback(xid)takes the active-branch path and issues a plainROLLBACK, which the server accepts cleanly. Fixes Issue #3153, Issue #3123.search_path. When two schemas held a table with the same name and the same primary or unique index name but a different set of key columns, the driver took the union of both schemas' columns, so the result set could be wrongly rejected as not updatable PR #4214. Supersedes PR #3400.v42.7.0Changed
java.desktopmodule. PR #2967Fixed
v42.6.0Changed
fix: use PhantomReferences instead of
Obejct.finalize()to track Connection leaks PR #2847The change replaces all uses of Object.finalize with PhantomReferences.
The leaked resources (Connections) are tracked in a helper thread that is active as long as
there are connections in use. By default, the thread keeps running for 30 seconds after all
the connections are released. The timeout is set with pgjdbc.config.cleanup.thread.ttl system property.
refactor:(loom) replace the usages of synchronized with ReentrantLock PR #2635
Fixes Issue #1951
v42.5.4Fixed
v42.5.3Fixed
v42.5.2Changed
Added
Fixed
v42.5.1Security
This has been fixed in this version fixes CVE-2022-41946 see the security advisory for more details. Reported by Jonathan Leitschuh This has been fixed in versions 42.5.1, 42.4.3 42.3.8, 42.2.27.jre7. Note there is no fix for 42.2.26.jre6. See the security advisory for work arounds.
Fixed
v42.5.0Changed
float now aliases to float8 PR #2598 fixes Issue #2597
v42.4.2Changed
Added
Fixed
v42.4.1Security
SQL. This allowed a malicious table with column names that include statement terminator to be parsed and
executed as multiple separate commands.
Changed
Added
v42.4.0Changed
startup parameters in a transaction (default=false like 42.2.x) fixes Issue #2425
pgbouncer cannot deal with transactions in statement pooling mode PR #2425
Fixed
PR #2525, Issue #1311
Regression since 42.2.13. PR #2531, issue #2527
v42.3.6Changed
Added
Fixed
v42.3.5Changed
Added
Fixed
This is a regression from 42.2.x versions where tcpNoDelay defaulted to true
v42.3.4Changed
and default timezones PR 2464 fixes Issue #2221
Added
Fixed
v42.3.3Changed
They can no longer be used to configure the driver logging. Instead use java.util.logging
configuration mechanisms such as
logging.properties.Added
Fixed
v42.3.2Security
sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties.
However, the driver did not verify if the class implements the expected interface before instantiating the class. This
would allow a malicious class to be instantiated that could execute arbitrary code from the JVM. Fixed in commit
Changed
is prefer or require PR #2396 remove the need to have a ticket in the cache before asking the server if gss encryptions are supported
or JDBC 4.2.
CallableStatement#getBoolean(int) on BIT(>1).
Changes internal constructors for PgConnection and related classes to only accept the connection properties object and
remove the user and password arguments. Any locations that required those fields can retrieve them from the properties map.
Added
Adds authenticationPluginClassName connection property that allows end users to specify a class
that will provide the connection passwords at runtime. Users implementing that interface must
ensure that each invocation of the method provides a new char[] array as the contents
will be filled with zeroes by the driver after use.Call sites within the driver have been updated to use the char[] directly wherever possible.
This includes direct usage in the GSS authentication code paths that internally were already converting the String password into a char[] for internal usage.
This allows configuring a connection with a password that must be generated on the fly or periodically changes. PR #2369 original issue Issue #2102
Fixed
fixes Issue #921 synchronize modification of shared calendar
resultSet.getTimestamp() only ms precision is retained, the microsecond fractional digits are lost." This change will retain the microsecond
precision when .getTimestamp() is called on TIME(6). PR #2181 Closes Issue #1537
Add to TestUtil and also to DatabaseMetaData setup and teardown fixes Issue #2060
OutOfMemoryException=>OutOfMemoryErrorsafety TimestampUtil is not thread safe. It raises exceptions when multiple threads use ResultSets of one connection. PR #2291
fixes Issue #921
If PgStatement and PgResultSet use their own TimestampUtil no synchronize is needed.
v42.3.1Changed
multi-dimensional array the one exception is byte[], which is not supported.
improve the parsing of bytea hex encoded string by making a lookup table for each of the valid ascii code points to the 4 bit numeric value
Added
Fixed
binary numeric values which represented integers multiples of 10,000 from 10,000-9,990,000 were not decoded correctly
GreagoriantoGregorian.v42.3.0Changed
Added
Resource can be provided using 1) property "-Dorg.postgresql.pgservicefile=file1" 2) environment variable PGSERVICEFILE=file2 3) default location "$HOME/.pg_service.conf" 4) environment variable PGSYSCONFDIR=dir1 looks for file "dir1/pg_service.conf".
Fixed
Add a property
QUOTE_RETURNING_IDENTIFIERSwhich determines if we put double quotesaround identifiers that are provided in the returning array.
v42.2.24Fixed
Avoid leaking server error details through BatchUpdateException when logServerErrorDetail PR #2254
QueryExecutorImpl.receiveFastpathResult did not properly handle ParameterStatus messages.
This in turn caused failures for some LargeObjectManager operations. Closes Issue #2237
Fixed by adding the missing code path, based on the existing handling in processResults. PR #2253
It is possible to break method PgDatabaseMetaData.getIndexInfo() by adding certain custom operators. This PR fixes it.
use older syntax for COMMENT ON FUNCTION with explicit no-arg parameter parentheses as it is required on server versions before v10.
Handle cleanup of connection creation in StatementTest, handle cleanup of privileged connection in DatabaseMetaDataTest
fixes issues introduced in PR #2199 closes Issue #2196
v42.2.23Changed
Fixed
This does not have the issue of name shadowing / qual-names, and has the added benefit of fixing #1948.
v42.2.22Fixed
4fa2d5b. Unfortunatelydue to the blocking nature of the driver and issues with seeing if there is a byte available on a blocking stream when it is encrypted
this introduces unacceptable delays in returning from peek(). At this time there is no simple solution to this.
v42.2.21Changed
Fixed
fixes Issue 2173
v42.2.20Fixed
The usage of
setQueryTimeout();with the same value as thesetNetworkTimeout();is blocking the current transaction timeout.The timeouts are blocking each other with this approach.
v42.2.19Notable Changes
Changed
There is a small behaviour change here as a result. If closeOnCompletion is called on an existing statement and the statement
is executed a second time it will fail.
Added
Fixed
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.
eb1b04b572tof5486692ceEdited/Blocked Notification
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠️ Warning: custom changes will be lost.
View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.Merge
Merge the changes and update on Forgejo.Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.