Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted libpgjava 42.7.11-1 (source) into unstable
Date: Wed, 29 Apr 2026 09:35:44 +0000
Signed by: Christoph Berg <myon@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 29 Apr 2026 11:08:43 +0200
Source: libpgjava
Architecture: source
Version: 42.7.11-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 libpgjava (42.7.11-1) unstable; urgency=medium
 .
   * New upstream version 42.7.11.
   * Limit SCRAM PBKDF2 iterations accepted from the server.
     pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256
     authentication, where a malicious or compromised PostgreSQL server could
     specify an extremely large PBKDF2 iteration count, causing the client to
     consume unbounded CPU and potentially exhaust connection pools. The fix
     introduces a new scramMaxIterations connection property (defaulting to
     100,000) to cap iteration counts before computation begins.
     (CVE-2026-42198)
Checksums-Sha1:
 c3820a390027c9c8cea6dfee674b2266326f48f9 2426 libpgjava_42.7.11-1.dsc
 2eaf56e603341e2c83b9ea3f232b6aa41563e0ca 1081223 libpgjava_42.7.11.orig.tar.gz
 efbd6ded05d7a18142493d55246e5b7280d0a6dc 10952 libpgjava_42.7.11-1.debian.tar.xz
Checksums-Sha256:
 47afe2e57ba554a1d7478209ae1faf9adf841c7db71d92fa63253c9dad49c884 2426 libpgjava_42.7.11-1.dsc
 fe160f3ab61e486e071f7cc53131998613c81d032c73be72208a99d2f63220ff 1081223 libpgjava_42.7.11.orig.tar.gz
 adbfc94a76f81c1c76e20035e071e40dc8876d7c677c0b17dc966d3f37f35f76 10952 libpgjava_42.7.11-1.debian.tar.xz
Files:
 9130d1f2f91b1ec3ff5a4b2cb7e192f8 2426 java optional libpgjava_42.7.11-1.dsc
 102767da3052d6d803f1b6f7260aa6e4 1081223 java optional libpgjava_42.7.11.orig.tar.gz
 994baff7a237ad0076e37939a5561a2f 10952 java optional libpgjava_42.7.11-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmnxzlEACgkQTFprqxLS
p640lA/+LzDeWiKCF2GB/IwqdakUSF2DbgKMxhDReFiS5eNhvmfgkf59IRDqocBm
wZx/kGzN9Hu8Uny9ahiSgbVzSH790M6In1xMQu6eNmBUVs+HqhsnWYWKWT7fcGvg
QQnVjJ4zss+XUHb5G7P4xDk+th3ApdcRwzzrIkzKDrck47s5LtggWdvhwCSrAUY2
zMPcNaorngAs3BB+stnHdh6CY3aTw5s+B4DpaWLTQl55l13afDm/6agsiAsdYCqE
YPEmgwrIAAG796GIoIT0a/xQTu1vSQlMCS7Dz6FGbeP2P8A+YPZgeGNSp2QTliB6
nHed1uC/Wy65pP7lqsYPYoG+uMAxTrHbf0pGecCcrMsReXCSQfqkiAuadPQ9nHNq
N0pFGYeB7Dnbqs7Mc+v/QWFC5at/Ci1beZgDLvIuajvPEZYqsY4X/TiVdiacKkXe
NnAmjRBhsWzaDaYVVzU6ds2PwnzBWTrOYcXVF3lIubtuswNSt4Fy9OHJT5LpR8JE
7LfbJ6UkWPiyhZ7xZIWkO8V4qOkQZkH/ojJtBHgLjKJN8dFoVKlWw6vb887GN3JL
Nsh/c2pt3NlMcwzp8z3tlQUiRjKd1tj/ioMOrXL4zgZ7ezBmSFE9li31gSOQP4HL
+mfC6KmebvKuaL9XKwVJadRgKhV2pWtc7DCi2DwR+8xrEuWcVKY=
=Di7U
-----END PGP SIGNATURE-----

News for package libpgjava