Fedora has issued an advisory on April 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/ The issue is fixed upstream in 42.2.5 and 42.3.2: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Updated packaged checked into SVN. Both updates failed on the build system: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20220415184723.luigiwalser.duvel.3927951/log/postgresql-jdbc-42.3.3-1.mga9/build.aarch64.0.20220415185154.log http://pkgsubmit.mageia.org/uploads/failure/8/core/updates_testing/20220415184850.luigiwalser.duvel.3930116/log/postgresql-jdbc-42.2.25-1.mga8/build.aarch64.0.20220415185258.log Advisory: ======================== Updated postgresql-jdbc packages fix security vulnerability: A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to remote code execution loaded via arbitrary classes. (CVE-2022-21724). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21724 https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/ ======================== Updated packages in core/updates_testing: ======================== postgresql-jdbc-42.2.25-1.mga8 postgresql-jdbc-javadoc-42.2.25-1.mga8 from postgresql-jdbc-42.2.25-1.mga8.src.rpm
Assignee: bugsquad => javaStatus comment: (none) => Updates checked into SVN but failed to build
SUSE has issued an advisory on August 3: https://lists.suse.com/pipermail/sle-security-updates/2022-August/011762.html The issue is fixed upstream in 42.3.3: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8 Mageia 8 is also affected.
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3IZVFBY4EZUAL2AWI7FHJCUSGLL3VKIG/
Fedora has issued advisories on October 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP/ The issues are fixed upstream in 42.2.26, 42.3.7, and 42.4.1: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2
Summary: postgresql-jdbc new security issue CVE-2022-21724 => postgresql-jdbc new security issues CVE-2022-21724 and CVE-2022-31197Status comment: Updates checked into SVN but failed to build => Fixed upstream in 42.2.26, 42.3.7, and 42.4.1
openSUSE has issued an advisory for the newest issue on October 6: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/X4D6FYYJXFISYRZVM6QVK6YMBG2KTXMC/
postgresql-jdbc-42.5.0-1.mga9 uploaded for Cauldron. Mageia 8 update still doesn't build: http://pkgsubmit.mageia.org/uploads/failure/8/core/updates_testing/20221104160236.luigiwalser.duvel.1338727/log/postgresql-jdbc-42.2.26-1.mga8/build.aarch64.0.20221104160311.log
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Fedora has issued an advisory on January 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/ The issue is fixed upstream in 42.2.7, 42.3.8, 42.4.3, and 42.5.1: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h Cauldron has been updated.
Status comment: Fixed upstream in 42.2.26, 42.3.7, and 42.4.1 => Fixed upstream in 42.2.27, 42.3.8, 42.4.3, and 42.5.1
Summary: postgresql-jdbc new security issues CVE-2022-21724 and CVE-2022-31197 => postgresql-jdbc new security issues CVE-2022-21724, CVE-2022-31197, CVE-2022-41946
(In reply to David Walser from comment #7) > Fedora has issued an advisory on January 13: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/25TY2L3RMVNOC7VAHJEAO7PTT6M6JJAD/ > > The issue is fixed upstream in 42.2.7, 42.3.8, 42.4.3, and 42.5.1: > https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h > > Cauldron has been updated. openSUSE has issued an advisory for this on January 19: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SYGPHYOMZE2VYMPEUXSVSZHF5VSAZAXU/
RedHat has issued an advisory for CVE-2022-41946 today (May 9): https://access.redhat.com/errata/RHSA-2023:2378
Mageia 8 EOL
Status: NEW => RESOLVEDResolution: (none) => OLDCC: (none) => nicolas.salguero