Skip to content

chore(java): bump org.postgresql:postgresql from 42.7.11 to 42.7.12 in /java#4476

Merged
lidavidm merged 1 commit into
mainfrom
dependabot/maven/java/org.postgresql-postgresql-42.7.12
Jul 7, 2026
Merged

chore(java): bump org.postgresql:postgresql from 42.7.11 to 42.7.12 in /java#4476
lidavidm merged 1 commit into
mainfrom
dependabot/maven/java/org.postgresql-postgresql-42.7.12

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps org.postgresql:postgresql from 42.7.11 to 42.7.12.

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.12: security

Silent channel-binding authentication downgrade (CVE-2026-54291)

channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS (with channel binding) to plain SCRAM-SHA-256 (without it), losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection triggers the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash. Examples are Ed25519, Ed448, and post-quantum algorithms.

Two issues combine in releases 42.7.4 through 42.7.11:

The bundled com.ongres.scram:scram-client (3.1 or 3.2) returns an empty byte array instead of failing when it cannot derive the binding hash for such a certificate. This is the library issue tracked as GHSA-p9jg-fcr6-3mhf.

pgJDBC does not enforce channelBinding=require where it matters. ScramAuthenticator checks only that the server advertised a -PLUS mechanism; it neither rejects the empty binding nor checks that the negotiated mechanism uses channel binding. The connection therefore downgrades silently.

Only connections that set channelBinding=require are affected. Under the default prefer policy, and under allow or disable, falling back to plain SCRAM is the documented behaviour.

Releases before 42.7.4 are unaffected, because they do not support channel binding.

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.12] (2026-06-29)

Security

  • fix: Enforce SCRAM channel-binding policy and prevent silent downgrade. Under channelBinding=require, the driver silently downgraded from SCRAM-SHA-256-PLUS (with channel binding) to plain SCRAM-SHA-256 (without it) when the server presented a certificate whose signature algorithm has no tls-server-end-point channel-binding hash (e.g. Ed25519, Ed448, or post-quantum algorithms). An attacker who can intercept the TLS connection could exploit this to strip channel-binding protection. The fix enforces channel binding in the driver's own code: it now fails the connection when no binding data can be extracted, and verifies the negotiated mechanism uses channel binding (-PLUS) when require is set. Only connections that set channelBinding=require are affected. The default prefer policy and releases before 42.7.4 (which introduced channel-binding support) are unaffected. See the Security Advisory for more detail. The following CVE-2026-54291 has been issued.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 42.7.11 to 42.7.12.
- [Release notes](https://github.com/pgjdbc/pgjdbc/releases)
- [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md)
- [Commits](pgjdbc/pgjdbc@REL42.7.11...REL42.7.12)

---
updated-dependencies:
- dependency-name: org.postgresql:postgresql
  dependency-version: 42.7.12
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Dependabot-only java Pull requests that update Java code labels Jul 7, 2026
@dependabot dependabot Bot requested a review from lidavidm as a code owner July 7, 2026 20:23
@dependabot dependabot Bot added dependencies Dependabot-only java Pull requests that update Java code labels Jul 7, 2026
@lidavidm lidavidm merged commit aaf0433 into main Jul 7, 2026
19 checks passed
@lidavidm lidavidm deleted the dependabot/maven/java/org.postgresql-postgresql-42.7.12 branch July 7, 2026 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependabot-only java Pull requests that update Java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant