libpgjava - Debian Package Tracker

general

source: libpgjava (main)
version: 42.5.4-1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Christoph Berg [DMD] – Andrew Ross [DMD] – Matthias Klose [DMD] – Debian PostgreSQL Maintainers [DMD]
arch: all
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 42.2.5-2+deb10u1
o-o-sec: 42.2.5-2+deb10u3
oldstable: 42.2.15-1+deb11u1
old-sec: 42.2.15-1+deb11u1
stable: 42.5.4-1
testing: 42.5.4-1
unstable: 42.5.4-1
exp: 42.6.0-1

versioned links

42.2.5-2+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
42.2.5-2+deb10u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
42.2.15-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
42.5.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
42.6.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libpostgresql-jdbc-java
libpostgresql-jdbc-java-doc

action needed

A new upstream version is available: 42.6.0 high

A new upstream version 42.6.0 is available, you should consider packaging it.

Created: 2023-03-18 Last update: 2023-09-30 12:34

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 42.6.0-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 5c0cbd2ed8938417de447a7fa54024d2d1e12e79
Author: Christoph Berg <myon@debian.org>
Date:   Tue May 23 11:32:02 2023 +0200

    Remove ancient Replaces/Conflicts. Thanks Helmut Grohne for the report.

Created: 2023-05-23 Last update: 2023-09-26 21:16

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-02-22 Last update: 2023-02-22 11:03

2 low-priority security issues in bullseye low

There are 2 open security issues in bullseye.

2 issues left for the package maintainer to handle:

CVE-2022-31197: (needs triaging) PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2022-41946: (needs triaging) pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-08-05 Last update: 2023-06-11 06:30

debian/patches: 2 patches to forward upstream low

Among the 2 debian patches available in version 42.5.4-1 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-02-26 15:54

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.5.0).

Created: 2020-11-17 Last update: 2023-02-18 06:21

news

[rss feed]

[2023-03-27] Accepted libpgjava 42.6.0-1 (source) into experimental (Christoph Berg)
[2023-02-28] libpgjava 42.5.4-1 MIGRATED to testing (Debian testing watch)
[2023-02-17] Accepted libpgjava 42.5.4-1 (source) into unstable (Christoph Berg)
[2023-02-12] libpgjava 42.5.3-1 MIGRATED to testing (Debian testing watch)
[2023-02-09] Accepted libpgjava 42.5.3-1 (source) into unstable (Christoph Berg)
[2022-12-02] Accepted libpgjava 42.2.5-2+deb10u3 (source) into oldstable (Utkarsh Gupta)
[2022-11-26] libpgjava 42.5.1-1 MIGRATED to testing (Debian testing watch)
[2022-11-24] Accepted libpgjava 42.5.1-1 (source) into unstable (Christoph Berg)
[2022-10-07] Accepted libpgjava 42.2.5-2+deb10u2 (source) into oldstable (Chris Lamb)
[2022-09-04] libpgjava 42.5.0-1 MIGRATED to testing (Debian testing watch)
[2022-08-26] Accepted libpgjava 42.5.0-1 (source) into unstable (Christoph Berg)
[2022-08-24] libpgjava 42.4.2-1 MIGRATED to testing (Debian testing watch)
[2022-08-24] libpgjava 42.4.2-1 MIGRATED to testing (Debian testing watch)
[2022-08-22] Accepted libpgjava 42.4.2-1 (source) into unstable (Christoph Berg)
[2022-08-11] libpgjava 42.4.1-1 MIGRATED to testing (Debian testing watch)
[2022-08-08] Accepted libpgjava 42.4.1-1 (source) into unstable (Christoph Berg)
[2022-08-06] Accepted libpgjava 42.2.15-1+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2022-08-02] Accepted libpgjava 42.2.5-2+deb10u1 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2022-07-31] Accepted libpgjava 42.2.5-2+deb10u1 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Markus Koschany)
[2022-07-31] Accepted libpgjava 42.2.15-1+deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2022-06-19] libpgjava 42.4.0-1 MIGRATED to testing (Debian testing watch)
[2022-06-14] Accepted libpgjava 42.4.0-1 (source) into unstable (Christoph Berg)
[2022-05-29] libpgjava 42.3.6-1 MIGRATED to testing (Debian testing watch)
[2022-05-29] libpgjava 42.3.6-1 MIGRATED to testing (Debian testing watch)
[2022-05-27] Accepted libpgjava 42.3.6-1 (source) into unstable (Christoph Berg)
[2022-05-20] Accepted libpgjava 9.4.1212-1+deb9u1 (source) into oldoldstable (Markus Koschany)
[2022-05-09] libpgjava 42.3.5-1 MIGRATED to testing (Debian testing watch)
[2022-05-06] Accepted libpgjava 42.3.5-1 (source) into unstable (Christoph Berg)
[2022-05-05] libpgjava 42.3.4-1 MIGRATED to testing (Debian testing watch)
[2022-05-05] libpgjava 42.3.4-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 4)
buildd: logs, exp, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
l10n (-, 40)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 42.5.4-1