CVE-2022-31197 - postgresql critical security vulnerability at version 42.3.X and 42.4.0

[shalomyasap]

Please see the follow postgresql security issue
https://www.postgresql.org/about/news/postgresql-jdbc-versions-424142226-security-update-2492/
https://nvd.nist.gov/vuln/detail/CVE-2022-31197

CVE fixed at version 42.4.1

Regards,
Shalom

[bclozel]

Dependency upgrades are usually done with our semi-automatic process, as stated in the issue template. There's no need to create such issues.

Spring Boot 2.6.x and 2.7.x is on the 42.3.x generation and it seems no patch will be released for this line:

We are not releasing a version for the 43.3.x release line and users are advised to upgrade to the 42.4.1 release to get the fix.

Spring Boot 3.0 is based on the 42.4.x generation right now.

I'm marking this for team discussion as we usually don't upgrade to minor versions in maintenance releases.

[dbahatSAP]

@bclozel it seems that the postgres team motivation not to upgrade 42.3.x generation is since they saw no reason for dependent components not to upgrade.
If this is not the case, can we please communicate it to them? (perhaps they will keep maintaining 42.3.x if they understand the motivation for spring boot 2.6.x / 2.7.x not to upgrade)

[snicoll]

@dbahatSAP Feel free to raise an issue with them if you'd like to suggest a backport.

[philwebb]

We're going to keep with our documented upgrade policy and remain on the 42.3.x line. It looks like users can upgrade safely themselves if they so wish. If pgjdbc/pgjdbc#2599 is accepted, we'll upgrade to a new 42.3.x version when it is released.