New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-31197 - postgresql critical security vulnerability at version 42.3.X and 42.4.0 #32126
Comments
Dependency upgrades are usually done with our semi-automatic process, as stated in the issue template. There's no need to create such issues. Spring Boot 2.6.x and 2.7.x is on the 42.3.x generation and it seems no patch will be released for this line:
Spring Boot 3.0 is based on the 42.4.x generation right now. I'm marking this for team discussion as we usually don't upgrade to minor versions in maintenance releases. |
@bclozel it seems that the postgres team motivation not to upgrade 42.3.x generation is since they saw no reason for dependent components not to upgrade. |
@dbahatSAP Feel free to raise an issue with them if you'd like to suggest a backport. |
We're going to keep with our documented upgrade policy and remain on the 42.3.x line. It looks like users can upgrade safely themselves if they so wish. If pgjdbc/pgjdbc#2599 is accepted, we'll upgrade to a new 42.3.x version when it is released. |
Please see the follow postgresql security issue
https://www.postgresql.org/about/news/postgresql-jdbc-versions-424142226-security-update-2492/
https://nvd.nist.gov/vuln/detail/CVE-2022-31197
CVE fixed at version 42.4.1
Regards,
Shalom
The text was updated successfully, but these errors were encountered: