postgresql-jdbc-42.2.14-3.el8_9

エラータID: AXSA:2024-7627:02

Release date: 
Friday, March 22, 2024 - 15:51
Subject: 
postgresql-jdbc-42.2.14-3.el8_9
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database.

Security Fix(es):

* PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE (CVE-2024-1597)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-1597
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

Solution: 

Update packages.

CVEs: 
CVE-2024-1597
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.
Additional Info: 

N/A

Download: 

SRPMS
  1. postgresql-jdbc-42.2.14-3.el8_9.src.rpm
    MD5: 9c8a1b5d7f0524ffaf9e60f39927c9a0
    SHA-256: dba4df156a19bf961f437ac272e881a1a525ce5c7f0d6176a4e34620b5513674
    Size: 880.82 kB

Asianux Server 8 for x86_64
  1. postgresql-jdbc-42.2.14-3.el8_9.noarch.rpm
    MD5: 4acd4b3e8c0410a36a5c23666e9d3365
    SHA-256: a84a59f7b4aa6a567340d701823f8b602972f7afde7ddf88b40b25ac91e485ed
    Size: 752.95 kB
  2. postgresql-jdbc-javadoc-42.2.14-3.el8_9.noarch.rpm
    MD5: bde687f809a53e6369d2b09d109b485f
    SHA-256: cd4947b294ea21b51ef50b3742d87701518b84363518af2aa149693a7fb3f9cf
    Size: 658.28 kB