Debian Package Tracker
Register | Log in
Subscribe

libpgjava

Java database (JDBC) driver for PostgreSQL

Choose email to subscribe with

general
  • source: libpgjava (main)
  • version: 42.7.13-1
  • maintainer: Debian Java Maintainers (archive) (DMD)
  • uploaders: Christoph Berg [DMD] – Matthias Klose [DMD] – Andrew Ross [DMD] – Debian PostgreSQL Maintainers [DMD]
  • arch: all
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 42.2.15-1+deb11u1
  • o-o-sec: 42.2.15-1+deb11u2
  • oldstable: 42.5.5-0+deb12u1
  • stable: 42.7.7-1
  • testing: 42.7.13-1
  • unstable: 42.7.13-1
versioned links
  • 42.2.15-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 42.2.15-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 42.5.5-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 42.7.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 42.7.13-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • libpostgresql-jdbc-java
action needed
2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:
  • CVE-2026-42198: pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
  • CVE-2026-54291: pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection can trigger the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash, because the bundled com.ongres.scram:scram-client returns an empty byte array instead of failing and pgJDBC ScramAuthenticator checks only that the server advertised a PLUS mechanism, without rejecting the empty binding or checking that the negotiated mechanism uses channel binding. This issue is fixed in version 42.7.12.
Created: 2026-04-29 Last update: 2026-07-09 18:20
2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:
  • CVE-2026-42198: pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
  • CVE-2026-54291: pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection can trigger the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash, because the bundled com.ongres.scram:scram-client returns an empty byte array instead of failing and pgJDBC ScramAuthenticator checks only that the server advertised a PLUS mechanism, without rejecting the empty binding or checking that the negotiated mechanism uses channel binding. This issue is fixed in version 42.7.12.
Created: 2026-04-29 Last update: 2026-07-09 18:20
2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:
  • CVE-2026-42198: (needs triaging) pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
  • CVE-2026-54291: (needs triaging) pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection can trigger the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash, because the bundled com.ongres.scram:scram-client returns an empty byte array instead of failing and pgJDBC ScramAuthenticator checks only that the server advertised a PLUS mechanism, without rejecting the empty binding or checking that the negotiated mechanism uses channel binding. This issue is fixed in version 42.7.12.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-04-29 Last update: 2026-07-09 18:20
debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 42.7.13-1 of the package, we noticed the following issues:

  • 1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2026-07-07 07:00
news
[rss feed]
  • [2026-07-09] libpgjava 42.7.13-1 MIGRATED to testing (Debian testing watch)
  • [2026-07-06] Accepted libpgjava 42.7.13-1 (source) into unstable (Christoph Berg)
  • [2026-07-04] libpgjava 42.7.12-1 MIGRATED to testing (Debian testing watch)
  • [2026-06-30] Accepted libpgjava 42.7.12-1 (source) into unstable (Christoph Berg)
  • [2026-05-03] libpgjava 42.7.11-1 MIGRATED to testing (Debian testing watch)
  • [2026-04-29] Accepted libpgjava 42.7.11-1 (source) into unstable (Christoph Berg)
  • [2026-02-19] libpgjava 42.7.10-1 MIGRATED to testing (Debian testing watch)
  • [2026-02-11] Accepted libpgjava 42.7.10-1 (source) into unstable (Christoph Berg)
  • [2026-01-20] libpgjava 42.7.9-1 MIGRATED to testing (Debian testing watch)
  • [2026-01-17] Accepted libpgjava 42.7.9-1 (source) into unstable (Christoph Berg)
  • [2025-12-07] libpgjava 42.7.8-2 MIGRATED to testing (Debian testing watch)
  • [2025-12-04] Accepted libpgjava 42.7.8-2 (source) into unstable (tony mancill)
  • [2025-09-30] libpgjava 42.7.8-1 MIGRATED to testing (Debian testing watch)
  • [2025-09-23] Accepted libpgjava 42.7.8-1 (source) into unstable (Christoph Berg)
  • [2025-09-23] Accepted libpgjava 42.7.7-2 (source) into unstable (Christoph Berg)
  • [2025-07-09] libpgjava 42.7.7-1 MIGRATED to testing (Debian testing watch)
  • [2025-06-13] Accepted libpgjava 42.7.7-1 (source) into unstable (Christoph Berg)
  • [2025-06-02] Accepted libpgjava 42.7.6-1 (source) into experimental (Christoph Berg)
  • [2025-04-27] libpgjava 42.7.5-2 MIGRATED to testing (Debian testing watch)
  • [2025-04-17] Accepted libpgjava 42.7.5-2 (source) into unstable (Christoph Berg)
  • [2025-02-15] libpgjava 42.7.5-1 MIGRATED to testing (Debian testing watch)
  • [2025-02-10] Accepted libpgjava 42.7.5-1 (source) into unstable (Emmanuel Bourg)
  • [2024-12-21] Accepted libpgjava 42.5.5-0+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
  • [2024-12-16] Accepted libpgjava 42.2.15-1+deb11u2 (source) into oldstable-security (Adrian Bunk)
  • [2024-12-11] libpgjava 42.7.3-2 MIGRATED to testing (Debian testing watch)
  • [2024-12-09] Accepted libpgjava 42.7.3-2 (source) into unstable (Emmanuel Bourg)
  • [2024-05-09] Accepted libpgjava 42.2.5-2+deb10u4 (source) into oldoldstable (Markus Koschany)
  • [2024-03-18] libpgjava 42.7.3-1 MIGRATED to testing (Debian testing watch)
  • [2024-03-15] Accepted libpgjava 42.7.3-1 (source) into unstable (Christoph Berg)
  • [2024-02-24] libpgjava 42.7.2-1 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • other distros
  • security tracker
  • l10n (-, 48)
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 42.7.13-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing