Skip to content

Update dependency org.postgresql:postgresql to v42.7.7 [SECURITY] #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 11, 2025
Merged

Update dependency org.postgresql:postgresql to v42.7.7 [SECURITY] #98

merged 1 commit into from
Jun 11, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jun 11, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.postgresql:postgresql (source) 42.7.6 -> 42.7.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-49146

Impact

When the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements.

Patches

TBD

Workarounds

Configure sslMode=verify-full to prevent MITM attacks.

References

Release Notes

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.7.7

Security
  • security: Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.
    Fix channel binding required handling to reject non-SASL authentication
    Previously, when channel binding was set to "require", the driver would silently ignore this
    requirement for non-SASL authentication methods. This could lead to a false sense of security
    when channel binding was explicitly requested but not actually enforced. The fix ensures that when
    channel binding is set to "require", the driver will reject connections that use
    non-SASL authentication methods or when SASL authentication has not completed properly.
    See the Security Advisory for more detail. Reported by George MacKerron
    The following CVE-2025-49146 has been issued
Added
  • test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jun 11, 2025
@renovate renovate bot requested a review from a team as a code owner June 11, 2025 14:59
@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jun 11, 2025
@renovate renovate bot enabled auto-merge (squash) June 11, 2025 14:59
@renovate renovate bot merged commit caa31ff into master Jun 11, 2025
13 of 14 checks passed
@renovate renovate bot deleted the renovate/revision branch June 11, 2025 15:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant