-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 08 Aug 2022 14:53:28 +0200 Source: libpgjava Architecture: source Version: 42.4.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Christoph Berg <myon@debian.org> Closes: 1016662 Changes: libpgjava (42.4.1-1) unstable; urgency=medium . * New upstream version 42.4.1 . Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection. (Closes: #1016662, CVE-2022-31197, reported by Sho Kato) . Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands. Checksums-Sha1: 38593061c6f546a2e58e17fe20bb907bc9954d9e 2565 libpgjava_42.4.1-1.dsc 24ceaca7673c07ae625a8f02341fa2b115e8478e 969554 libpgjava_42.4.1.orig.tar.gz ce7c1d32d2a31320cd701cf9404577961b62d427 10228 libpgjava_42.4.1-1.debian.tar.xz Checksums-Sha256: 7e0a77fe37b1ae197a50fd5e1e45272d99192eb136e68b150fed81603f3b1159 2565 libpgjava_42.4.1-1.dsc edf1ead37f4d64f97e0d18a59b9a81f8d6cab7bdc523c9c4f20f742387d1d9af 969554 libpgjava_42.4.1.orig.tar.gz eeb5438eec8284a7af4a876f149cdf4a77df02702d327db3ed111890253c493b 10228 libpgjava_42.4.1-1.debian.tar.xz Files: 01f4d43ab2ed41aa61eaecc6619bef47 2565 java optional libpgjava_42.4.1-1.dsc 43b21d1f2511373d8182c517c3b4cb11 969554 java optional libpgjava_42.4.1.orig.tar.gz ded5f3dbae97f8f89387558a4299b1a0 10228 java optional libpgjava_42.4.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmLxDZwACgkQTFprqxLS p65/tg/9GcPXONKkBZJ8xaVTrDQgkGCdV5Cu0QIgSWia11nffsgD9YrojWeaWDhr BS6dgRoWlkywslwEj8NhSt0vYV7crfMom7AFjaPV1ko27cYTkH6xGzh77iIwU1Tb U+SHSVg6jIj6haO/FT4UhkGL37YoVvq1PdaxoG5B/vlqA/NZM4JqgRnjCjF/VpZW OIlBuHXQ+6viQpUEqqHlAxuzDIlj9pnb/WE33S5xpRqxiK91wdAMgnqyWVKHSErO 3Ay6HjuQvnjbPwww5tGgIQ4fUSXW1s5hs6Sop0KB4YAQ9r9MLbPijQuXprtBjr56 yj5Bsio8BYTo65IDGM3Nqpjqo7lWHYMcm9I8dW+p1APmwHVqNzQ15/jQQnfKcQtJ KqKkQL/04ff/BTei9neB16DF+3KYGPFnFxC7xtfC245qaYMpWKFhiBkpRDFW+BEL 6XqFMM01sWnkYdUfCm6izAZVU1wx3PjDNakK4NYSKL298jYZXpA/iXx7VjL3Ycor RJX+kkJEIhNYfzIlmb2ss6fbtrOqPmpRdMlfn9Ry74u+XPimXNjvgy4x+MRSdtdt g5k7/JsR5wY8e00Pn8xCuOsf98kbDJFR9z2iCmon4asqijYkBsXOEiAtZI+QYstl GDHfCR8dfIG27jin7UqR0188niJ3wH4BnT9/3lLYFfmT8nqVuA4= =BVZM -----END PGP SIGNATURE-----