-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 23 Apr 2025 11:04:24 +0200 Source: golang-github-jackc-pgx Architecture: source Version: 4.18.1-2 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org> Changed-By: Dr. Tobias Quathamer <toddy@debian.org> Closes: 1065686 1065687 Changes: golang-github-jackc-pgx (4.18.1-2) unstable; urgency=medium . * Team upload. * Create a new git branch to fix CVEs during soft freeze. * Add two patches from upstream - CVE-2024-27289 pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder. Closes: #1065686 - CVE-2024-27304 pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size. Closes: #1065687 Checksums-Sha1: fc454961e7957ce365814ce062f846ac1ca42c41 2719 golang-github-jackc-pgx_4.18.1-2.dsc 4a37240a3da044ccbefae090e325709e3ec501df 5500 golang-github-jackc-pgx_4.18.1-2.debian.tar.xz ae24ff1439b8c8848208b689a807c2fa66a58483 8227 golang-github-jackc-pgx_4.18.1-2_amd64.buildinfo Checksums-Sha256: 27eb9d7ed9c8d047fe0548993d63614c74bbc01bf52eef7d63072b68c34fa9cf 2719 golang-github-jackc-pgx_4.18.1-2.dsc c98f0f97831e527a857c6b13f1002e008c6893a222d058e109de75ea57d5d484 5500 golang-github-jackc-pgx_4.18.1-2.debian.tar.xz 2423087f632c2d13164982cc6e4de3fce9e7cff38f539c54960c4590dfbd1798 8227 golang-github-jackc-pgx_4.18.1-2_amd64.buildinfo Files: 3cf610d0110aecb74ecfd240d7a40f09 2719 golang optional golang-github-jackc-pgx_4.18.1-2.dsc b9425db8181f69c1e9d751e1e3894870 5500 golang optional golang-github-jackc-pgx_4.18.1-2.debian.tar.xz 2fd5131cf4567602c764c2def0fc3ee2 8227 golang optional golang-github-jackc-pgx_4.18.1-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAmgIrvoACgkQEwLx8Dbr 6xne4g/+OOlZ+qaKaljAq6A9nU6z8+FdT2nFD4rg5gGJ5KvfePVvBwMN2h1DGkw/ cJgB8K903bd7YBQpShgjJp86UTjAE1jpJbkVo3W/vN6m74g0g8oNJ1/Twip/RDTM gzDPLHTLztG87vMSSmG5WyUM/H4K+Dk6MgfTfw5oOAaiREaeIJunpeTpT6mbHj/2 JJoZ4nS1q1P9OJTOOEMV1TrjlC0Dh19AMhACAvyxvxbgK4AcPU5/f1XQkzTSeOQt UQrFq7xX9TcvTbf5keAA6JLpSD2GtLCCJbIFIeuoe3VSSaQ1znl8yn189Cfp6tsa e8sgZM9fEl9D9geBP10oTClW4NWH+FTMwUzgTq8DwJIPqP0sma0ofI3Q6s1Koiao R/ueGgQGxKn9Tb9s8U2HT+a+f6LYenmn8iTbe3552hNAktrkKxjNZ/WtNH6an3Cd 4oD8STraOG18LJucwBRaYGjfp1j0cder/sQDd5Zr3HPq3ho9vMjPqEdxwSTwRPzS uYlMtAirxWSRGcyp7fwAhhsbtqe1R8+bQMqgrUrvlpHQTMtFo48KjAYx4wiM89Li cuvTmhPYYLHiRe6/PgUkpsvZtaxCxrcRM4IiYzHgyD5miJZiPbvGCpWkiRmXlMEN ANhFMdZqRtPqXry4gQ/fjgkAVgzQzkI8e+nIo+wTWFXCzqyu3zA= =neOm -----END PGP SIGNATURE-----
