That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/04/02/6 It is fixed in versions 42.7.2 (for Cauldron, I think it is better to upgrade to 42.7.3) and 42.5.5 (for Mageia 9). Mageia 9 is also affected.
Status comment: (none) => Fixed upstream in 42.7.2 and 42.5.5Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-1597Source RPM: (none) => postgresql-jdbc-42.7.1-1.mga10.src.rpm
Suggested advisory: ======================== The updated packages fix a security vulnerability: pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. (CVE-2024-1597) References: https://www.openwall.com/lists/oss-security/2024/04/02/6 ======================== Updated packages in core/updates_testing: ======================== postgresql-jdbc-42.5.6-1.mga9 postgresql-jdbc-javadoc-42.5.6-1.mga9 from SRPM: postgresql-jdbc-42.5.6-1.mga9.src.rpm
Source RPM: postgresql-jdbc-42.7.1-1.mga10.src.rpm => postgresql-jdbc-42.5.1-1.mga9.src.rpmWhiteboard: MGA9TOO => (none)Version: Cauldron => 9Assignee: bugsquad => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Fixed upstream in 42.7.2 and 42.5.5 => (none)
Keywords: (none) => advisory
MGA-64 Plasma Wayland on HP-Pavillion No installation issues Ref bug 27017 for testing, but I have no idea what is Brian's "piece of code" is. Googled for an example, found https://mkyong.com/jdbc/how-do-connect-to-postgresql-with-jdbc-driver-java/ Edited the example to connect to my postgres on my desktop, but got (as in the example): $ java JDBCExample SQL State: 08001 No suitable driver found for jdbc:postgresql .....etc Tried manual loading $ java -cp /usr/share/java/postgresql.jar JDBCExample Error: Could not find or load main class JDBCExample Caused by: java.lang.ClassNotFoundException: JDBCExample I have no idea why that is????
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #2) > MGA-64 Plasma Wayland on HP-Pavillion > No installation issues > Ref bug 27017 for testing, but I have no idea what is Brian's "piece of > code" is. > Googled for an example, found > https://mkyong.com/jdbc/how-do-connect-to-postgresql-with-jdbc-driver-java/ > Edited the example to connect to my postgres on my desktop, but got (as in > the example): > $ java JDBCExample > SQL State: 08001 > No suitable driver found for jdbc:postgresql .....etc > Tried manual loading > $ java -cp /usr/share/java/postgresql.jar JDBCExample > Error: Could not find or load main class JDBCExample > Caused by: java.lang.ClassNotFoundException: JDBCExample > I have no idea why that is???? Sorry if again I make an obvious question, did you have java-17-openjdk-headless ? I find this https://stackoverflow.com/questions/18093928/what-does-could-not-find-or-load-main-class-mean/18093929#18093929 very large explanation about the issue, I hope it helps to you
Yes, it is installed, and I tried to nget any wiser from that site, but gave up. Leaving for someone else.
CC: (none) => brtians1
Brian Rockwell can you please make the test for this bug, thank you
I'll look into it. Hopefully still have the code.
jdbc driver install postgres and start it install new jdbc driver su over to postgres CREATE DATABASE m; psql create user mageia with password mageia5 /c m GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO mageia; CREATE TABLE cars ( brand VARCHAR(255), model VARCHAR(255), year INT ); insert into cars (brand, model, year) values ('Honda', 'Insight', 2019); select * from cars; --this confirms the row is there Now compile program using java 17 javac -cp /usr/share/java/postgresql.jar postMan.java java -cp .:/usr/share/java/postgresql.jar postMan I was able to get a successful connection $ java -cp .:/usr/share/java/postgresql.jar postMan Connection established successfully Honda, Insight, 2019 (I'll attach code in a minute)
Created attachment 14497 [details] really basic java connect to postgres (Java 17)
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm
Thank you for the test Brian
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0120.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED