Skip to content

chore(deps): update dependency org.postgresql:postgresql to v42.7.7 [security] #3486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 12, 2025
Merged

chore(deps): update dependency org.postgresql:postgresql to v42.7.7 [security] #3486

merged 1 commit into from
Jun 12, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 11, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.postgresql:postgresql (source) 42.7.6 -> 42.7.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-49146

Impact

When the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements.

Patches

TBD

Workarounds

Configure sslMode=verify-full to prevent MITM attacks.

References

Release Notes

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.7.7

Security
  • security: Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.
    Fix channel binding required handling to reject non-SASL authentication
    Previously, when channel binding was set to "require", the driver would silently ignore this
    requirement for non-SASL authentication methods. This could lead to a false sense of security
    when channel binding was explicitly requested but not actually enforced. The fix ensures that when
    channel binding is set to "require", the driver will reject connections that use
    non-SASL authentication methods or when SASL authentication has not completed properly.
    See the Security Advisory for more detail. Reported by George MacKerron
    The following CVE-2025-49146 has been issued
Added
  • test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@coveralls
Copy link

Coverage Status

coverage: 87.299% (-0.009%) from 87.308%
when pulling 8c2dedd on renovate/maven-org.postgresql-postgresql-vulnerability
into ec5fb12 on master.

@hazendaz hazendaz merged commit 2134edc into master Jun 12, 2025
28 of 30 checks passed
@renovate renovate bot deleted the renovate/maven-org.postgresql-postgresql-vulnerability branch June 12, 2025 17:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@coveralls @hazendaz