RedHat has issued an advisory on July 28:
The issue is fixed upstream in 42.2.13.
Cauldron has been updated.
Fedora backported a patch to 42.2.12, but it doesn't apply to 42.2.5:
RHEL8 patched 42.2.3 in the advisory in Comment 0. It does apply:
Updated postgresql-jdbc packages fix security vulnerability:
XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692).
Updated packages in core/updates_testing:
Full details of this vulnerability are here:
MGA7-64 Plasma on Lenovo B50
No installation issues.
Trying to make a connection to postgres running on my desktop PC, but I don't feel like installing a full java development configuration.
Trying to make a libreoffice connection, but I am not sure this would be using then package?
Got the libreoffice connection working, but it does not use anything of the files under test.
Giving up on clean install.
- Set up Postgresql 11 server on a VM
- wrote a short test piece of code in java and compiled it.
java -cp .:/usr/share/java/postgresql-jdbc.jar postMain
Connected to the PostgreSQL server successfully.
Ran it before and after the update. In both cases the jdbc driver was working. I did not test the vulnerability as that is a bit more indepth than I have bandwidth for.
Works for me.
We'll go with it. Validating. Advisory in Comment 2.