postgresql-jdbc-42.2.28-1.el9_3

エラータID: AXSA:2024-7626:01

Release date: 
Friday, March 22, 2024 - 13:51
Subject: 
postgresql-jdbc-42.2.28-1.el9_3
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database.

Security Fix(es):

* PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE (CVE-2024-1597)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-1597
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. postgresql-jdbc-42.2.28-1.el9_3.src.rpm
    MD5: 4be45e97f33b8c221edfedf6b0a4f5f1
    SHA-256: 4da724c64d81836dab0270ac91c62dc817b4c8d0f2e7259e22d5e029bc745e55
    Size: 914.26 kB

Asianux Server 9 for x86_64
  1. postgresql-jdbc-42.2.28-1.el9_3.noarch.rpm
    MD5: 1094e0e0e9feacbf78cecb0291805975
    SHA-256: 4c89adcbf2d4499d788743627583a183ba1a264cf28e4adc88ff01ee090cb612
    Size: 790.49 kB