Skip to content

fix(security): update pgjdbc for SCRAM DoS advisory#27

Merged
ailuckly merged 1 commit into
developfrom
fix/pgjdbc-scram-dos
May 6, 2026
Merged

fix(security): update pgjdbc for SCRAM DoS advisory#27
ailuckly merged 1 commit into
developfrom
fix/pgjdbc-scram-dos

Conversation

@ailuckly
Copy link
Copy Markdown
Owner

@ailuckly ailuckly commented May 6, 2026

Summary

  • Update org.postgresql:postgresql from 42.7.7 to 42.7.11.
  • Address Dependabot alert #82: pgjdbc unbounded PBKDF2 iterations in SCRAM authentication can cause client-side CPU exhaustion DoS.
  • Keep the patch scoped to vocata-server/pom.xml only.

Verification

  • mvn -Dmaven.repo.local=/tmp/juhao_m2repo -DskipTests -Dincludes=org.postgresql:postgresql dependency:tree: resolves org.postgresql:postgresql:42.7.11.
  • mvn -Dmaven.repo.local=/tmp/juhao_m2repo -Dmaven.test.skip=true package: passed.
  • git diff --check: passed.

Notes

  • Tests are skipped by the existing package verification command.
  • GitHub security alert #82 remains visible on the default branch until this PR is merged and GitHub rescans dependencies.

@ailuckly
fix(security): update pgjdbc scram dos patch
a0d737b 
Update org.postgresql:postgresql to 42.7.11 to address the SCRAM PBKDF2 iteration CPU exhaustion DoS advisory.

Verification:

- mvn -Dmaven.repo.local=/tmp/juhao_m2repo -DskipTests -Dincludes=org.postgresql:postgresql dependency:tree

- mvn -Dmaven.repo.local=/tmp/juhao_m2repo -Dmaven.test.skip=true package

- git diff --check
Copilot AI review requested due to automatic review settings May 6, 2026 16:20
@ailuckly ailuckly merged commit 3bdaf68 into develop May 6, 2026
7 checks passed
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the PostgreSQL JDBC driver version in vocata-server to address a GitHub security advisory related to SCRAM authentication CPU exhaustion (unbounded PBKDF2 iterations).

Changes:

  • Bump org.postgresql:postgresql from 42.7.7 to 42.7.11 via the postgresql.version Maven property.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ailuckly ailuckly deleted the fix/pgjdbc-scram-dos branch May 7, 2026 12:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ailuckly