CVE-2024-1597 updated postgres version to 42.6.1

[adkharat]

Description

CVE-2024-1597
Security fix for postgresql
vulnerable version : 4.6.0
Fixed version : 4.6.1

Updated postgresql version from 4.6.0 to 4.6.1 in root pom.xml

Motivation and Context

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.

Impact

Image scan report showed the vulnerability has been removed

correlation-report-ibm-lh-presto-postgres.csv

Test Plan

Contributor checklist

• Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

== RELEASE NOTES ==

Security Changes
* Upgrade Postgres JDBC Driver to 42.6.1 :pr:`23710`

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: adkharat / name: Ajay Kharat (543e37e)

[adkharat]

@imjalpreet Could you please review the PR.

[imjalpreet]

@adkharat Thanks for the fix! LGTM 👍🏼

Can you please sign the CLA? You should be able to see a comment with the instructions above.

[imjalpreet]

The email address for the commit (910e100) is not linked to the GitHub account

@adkharat It looks like the email ID you used while committing is not linked to your GitHub account. There are two ways to solve this: you can link that email ID with your GitHub account or please amend your commit and use the email ID of the GitHub account you are using.

If you decide to go with the first option, you can link a new email to your existing GitHub account by going to Settings->Emails->Add email address

[imjalpreet]

A small request: Please update the commit message to: Upgrade Postgres JDBC Driver to 42.6.1

[steveburnett]

A small request: Please update the commit message to: Upgrade Postgres JDBC Driver to 42.6.1

Yes, please, following the Release Notes Guidelines. For example:

== RELEASE NOTES ==

Security Changes
* Upgrade Postgres JDBC Driver to 42.6.1 :pr:`23710`

[adkharat]

A small request: Please update the commit message to: Upgrade Postgres JDBC Driver to 42.6.1

Done

[adkharat]

A small request: Please update the commit message to: Upgrade Postgres JDBC Driver to 42.6.1

Yes, please, following the Release Notes Guidelines. For example:

== RELEASE NOTES ==

Security Changes
* Upgrade Postgres JDBC Driver to 42.6.1 :pr:`23710`

@steveburnett Done

[adkharat]

@adkharat Thanks for the fix! LGTM 👍🏼

Can you please sign the CLA? You should be able to see a comment with the instructions above.

@imjalpreet Done

[imjalpreet]

@adkharat Thanks, LGTM.