Date: Thu, 17 Feb 2022 13:14:57 GMT From: Palle Girgensohn <girgen@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: e712bd2191da - main - databases/postgresql-jdbc: update to 42.3.3. Message-ID: <202202171314.21HDEvJi007888@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by girgen: URL: https://cgit.FreeBSD.org/ports/commit/?id=e712bd2191da51dfc3830c0119b1a3c1dc4db19d commit e712bd2191da51dfc3830c0119b1a3c1dc4db19d Author: Palle Girgensohn <girgen@FreeBSD.org> AuthorDate: 2022-02-17 13:12:12 +0000 Commit: Palle Girgensohn <girgen@FreeBSD.org> CommitDate: 2022-02-17 13:14:51 +0000 databases/postgresql-jdbc: update to 42.3.3. A security advisory has been created for the PostgreSQL JDBC Driver. The URL connection string loggerFile property could be mis-used to create an arbitrary file on the system that the driver is loaded. Additionally anything in the connection string will be logged and subsequently written into that file. In an insecure system it would be possible to execute this file through a webserver. While we do not consider this a security issue with the driver, we have decided to remove the loggerFile and loggerLevel connection properties in the next release of the driver. Removal of those properties does not make exposing the JDBC URL or connection properties to an attacker safe and we continue to suggest that applications do not allow untrusted users to specify arbitrary connection properties. We are removing them to prevent misuse and their functionality can be delegated to java.util.logging. The changelog is not very useful as the change was done behind a security advisory. The short version is that loggerFile and loggerLevel properties still exist but do not do anything. Security: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8 --- databases/postgresql-jdbc/Makefile | 2 +- databases/postgresql-jdbc/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/databases/postgresql-jdbc/Makefile b/databases/postgresql-jdbc/Makefile index cfaf2a78928a..f6e08fa6f655 100644 --- a/databases/postgresql-jdbc/Makefile +++ b/databases/postgresql-jdbc/Makefile @@ -1,7 +1,7 @@ # Created by: Palle Girgensohn <girgen@partitur.se> PORTNAME= postgresql -PORTVERSION= 42.3.1 +PORTVERSION= 42.3.3 CATEGORIES= databases java MASTER_SITES= http://jdbc.postgresql.org/download/ PKGNAMESUFFIX= -jdbc diff --git a/databases/postgresql-jdbc/distinfo b/databases/postgresql-jdbc/distinfo index fc58d3ce4a15..97eedd616464 100644 --- a/databases/postgresql-jdbc/distinfo +++ b/databases/postgresql-jdbc/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1635606114 -SHA256 (postgresql-42.3.1.jar) = 8370570857da86eb4a76dd3d8505d34bac0c18186741fa83a6820a10fa441cb4 -SIZE (postgresql-42.3.1.jar) = 1015689 +TIMESTAMP = 1645102191 +SHA256 (postgresql-42.3.3.jar) = eed0604f512ba44817954de99a07e2a5470aa4bfcb481d4e63a93e0ff0e0aede +SIZE (postgresql-42.3.3.jar) = 1039047
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202202171314.21HDEvJi007888>