golang-github-jackc-pgx - Debian Package Tracker

general

source: golang-github-jackc-pgx (main)
version: 4.18.1-1
maintainer: Debian Go Packaging Team (DMD)
uploaders: Pirate Praveen [DMD] – Dmitry Smirnov [DMD]
arch: all
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 3.6.2-2
stable: 4.15.0-4
testing: 4.18.1-1
unstable: 4.18.1-1

versioned links

3.6.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.15.0-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.18.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-github-jackc-pgx-v4-dev

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:00:57
Last run: 2020-01-23T16:53:31.000Z
Previous status: unknown

Created: 2020-04-20 Last update: 2025-04-17 19:04

A new upstream version is available: 5.7.4 high

A new upstream version 5.7.4 is available, you should consider packaging it.

Created: 2022-04-17 Last update: 2025-04-17 18:00

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2024-27289: pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
CVE-2024-27304: pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

Created: 2024-03-07 Last update: 2025-02-27 05:02

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2024-27289: pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
CVE-2024-27304: pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

Created: 2024-03-07 Last update: 2025-02-27 05:02

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 5.7.1-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 8ca5db1c886027006ce22336f3f5544df979872b
Author: tous <touss@protonmail.com>
Date:   Fri Nov 1 11:31:56 2024 -0300

    Drop unnecessary /v4 suffix in XS-Go-Import-Path

commit 17b786ab1274b5a5fd3d3daf3d4ec2eddd84a887
Author: tous <touss@protonmail.com>
Date:   Fri Nov 1 11:30:22 2024 -0300

    Update debian/changelog

commit 26f74bd3c8a8a564a95e6eb9317dcd40c47f60c2
Merge: 44d79f1 a1e52c4
Author: tous <touss@protonmail.com>
Date:   Wed Oct 23 11:55:44 2024 -0300

    Update upstream source from tag 'upstream/5.7.1'
    
    Update to upstream version '5.7.1'
    with Debian dir c440bc1b285fdd730a4a60867860c65db350a935

commit a1e52c47f0988c277bf01a0b6884e87a98bde9eb
Author: tous <touss@protonmail.com>
Date:   Wed Oct 23 11:55:42 2024 -0300

    New upstream version 5.7.1

Created: 2024-11-01 Last update: 2025-04-14 16:33

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2024-27289: (needs triaging) pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
CVE-2024-27304: (needs triaging) pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-03-07 Last update: 2025-02-27 05:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.0).

Created: 2022-05-11 Last update: 2025-02-27 13:25

news

[rss feed]

[2024-03-03] golang-github-jackc-pgx 4.18.1-1 MIGRATED to testing (Debian testing watch)
[2024-02-27] Accepted golang-github-jackc-pgx 4.18.1-1 (source) into unstable (Anthony Fok)
[2022-11-26] golang-github-jackc-pgx 4.15.0-4 MIGRATED to testing (Debian testing watch)
[2022-09-28] golang-github-jackc-pgx REMOVED from testing (Debian testing watch)
[2022-04-23] golang-github-jackc-pgx 4.15.0-4 MIGRATED to testing (Debian testing watch)
[2022-04-18] Accepted golang-github-jackc-pgx 4.15.0-4 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2022-04-17] Accepted golang-github-jackc-pgx 4.15.0-3 (source all) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2022-04-17] Accepted golang-github-jackc-pgx 4.15.0-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2022-03-28] Accepted golang-github-jackc-pgx 4.15.0-1 (source all) into experimental, experimental (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
[2020-08-09] golang-github-jackc-pgx 3.6.2-2 MIGRATED to testing (Debian testing watch)
[2020-08-03] Accepted golang-github-jackc-pgx 3.6.2-2 (source) into unstable (Stephen Gelman)
[2020-02-09] golang-github-jackc-pgx 3.6.2-1 MIGRATED to testing (Debian testing watch)
[2020-02-04] Accepted golang-github-jackc-pgx 3.6.2-1 (source) into unstable (Dmitry Smirnov)
[2020-01-15] Accepted golang-github-jackc-pgx 3.6.1-1 (source) into unstable (Dmitry Smirnov)
[2020-01-13] Accepted golang-github-jackc-pgx 3.6.0-1 (source all) into unstable, unstable (Dmitry Smirnov)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.18.1-1