libpgjava - Debian Package Tracker

general

source: libpgjava (main)
version: 42.7.11-1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Christoph Berg [DMD] – Matthias Klose [DMD] – Andrew Ross [DMD] – Debian PostgreSQL Maintainers [DMD]
arch: all
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 42.2.15-1+deb11u1
o-o-sec: 42.2.15-1+deb11u2
oldstable: 42.5.5-0+deb12u1
stable: 42.7.7-1
testing: 42.7.11-1
unstable: 42.7.11-1

versioned links

42.2.15-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
42.2.15-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
42.5.5-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
42.7.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
42.7.11-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libpostgresql-jdbc-java

action needed

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-42198: pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

Created: 2026-04-29 Last update: 2026-06-18 13:32

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2026-42198: pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

Created: 2026-04-29 Last update: 2026-06-18 13:32

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 42.7.11-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 162a5db56005788646427995670b2a7f3e072b7b
Author: Christoph Berg <myon@debian.org>
Date:   Sat Jun 13 18:59:51 2026 +0200

    Switch to Static-Built-Using.

commit b1ccdc5dd9a20c81568b64212f377c678a0649b5
Author: Christoph Berg <myon@debian.org>
Date:   Sat Jun 13 18:59:35 2026 +0200

    Remove debian/maven-repo/ on clean

Created: 2026-06-13 Last update: 2026-06-21 21:00

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-42198: (needs triaging) pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-04-29 Last update: 2026-06-18 13:32

debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 42.7.11-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-04-29 18:17

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).

Created: 2025-12-23 Last update: 2026-04-29 18:18

news

[rss feed]

[2026-05-03] libpgjava 42.7.11-1 MIGRATED to testing (Debian testing watch)
[2026-04-29] Accepted libpgjava 42.7.11-1 (source) into unstable (Christoph Berg)
[2026-02-19] libpgjava 42.7.10-1 MIGRATED to testing (Debian testing watch)
[2026-02-11] Accepted libpgjava 42.7.10-1 (source) into unstable (Christoph Berg)
[2026-01-20] libpgjava 42.7.9-1 MIGRATED to testing (Debian testing watch)
[2026-01-17] Accepted libpgjava 42.7.9-1 (source) into unstable (Christoph Berg)
[2025-12-07] libpgjava 42.7.8-2 MIGRATED to testing (Debian testing watch)
[2025-12-04] Accepted libpgjava 42.7.8-2 (source) into unstable (tony mancill)
[2025-09-30] libpgjava 42.7.8-1 MIGRATED to testing (Debian testing watch)
[2025-09-23] Accepted libpgjava 42.7.8-1 (source) into unstable (Christoph Berg)
[2025-09-23] Accepted libpgjava 42.7.7-2 (source) into unstable (Christoph Berg)
[2025-07-09] libpgjava 42.7.7-1 MIGRATED to testing (Debian testing watch)
[2025-06-13] Accepted libpgjava 42.7.7-1 (source) into unstable (Christoph Berg)
[2025-06-02] Accepted libpgjava 42.7.6-1 (source) into experimental (Christoph Berg)
[2025-04-27] libpgjava 42.7.5-2 MIGRATED to testing (Debian testing watch)
[2025-04-17] Accepted libpgjava 42.7.5-2 (source) into unstable (Christoph Berg)
[2025-02-15] libpgjava 42.7.5-1 MIGRATED to testing (Debian testing watch)
[2025-02-10] Accepted libpgjava 42.7.5-1 (source) into unstable (Emmanuel Bourg)
[2024-12-21] Accepted libpgjava 42.5.5-0+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-12-16] Accepted libpgjava 42.2.15-1+deb11u2 (source) into oldstable-security (Adrian Bunk)
[2024-12-11] libpgjava 42.7.3-2 MIGRATED to testing (Debian testing watch)
[2024-12-09] Accepted libpgjava 42.7.3-2 (source) into unstable (Emmanuel Bourg)
[2024-05-09] Accepted libpgjava 42.2.5-2+deb10u4 (source) into oldoldstable (Markus Koschany)
[2024-03-18] libpgjava 42.7.3-1 MIGRATED to testing (Debian testing watch)
[2024-03-15] Accepted libpgjava 42.7.3-1 (source) into unstable (Christoph Berg)
[2024-02-24] libpgjava 42.7.2-1 MIGRATED to testing (Debian testing watch)
[2024-02-22] Accepted libpgjava 42.7.2-1 (source) into unstable (Christoph Berg)
[2023-12-10] libpgjava 42.7.1-1 MIGRATED to testing (Debian testing watch)
[2023-12-10] libpgjava 42.7.1-1 MIGRATED to testing (Debian testing watch)
[2023-12-07] Accepted libpgjava 42.7.1-1 (source) into unstable (Christoph Berg)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
l10n (-, 44)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 42.7.11-1