CVE-2024-1597 updated postgres version to 42.6.1#23710
CVE-2024-1597 updated postgres version to 42.6.1#23710tdcmeehan merged 1 commit intoprestodb:masterfrom
Conversation
|
|
|
@imjalpreet Could you please review the PR. |
imjalpreet
left a comment
There was a problem hiding this comment.
@adkharat Thanks for the fix! LGTM 👍🏼
Can you please sign the CLA? You should be able to see a comment with the instructions above.
@adkharat It looks like the email ID you used while committing is not linked to your GitHub account. There are two ways to solve this: you can link that email ID with your GitHub account or please amend your commit and use the email ID of the GitHub account you are using. If you decide to go with the first option, you can link a new email to your existing GitHub account by going to Settings->Emails->Add email address |
imjalpreet
left a comment
There was a problem hiding this comment.
A small request: Please update the commit message to: Upgrade Postgres JDBC Driver to 42.6.1
Yes, please, following the Release Notes Guidelines. For example: |
910e100 to
c6a7c8c
Compare
c6a7c8c to
543e37e
Compare
Done |
@steveburnett Done |
@imjalpreet Done |
|
@adkharat Thanks, LGTM. |
Description
CVE-2024-1597
Security fix for postgresql
vulnerable version : 4.6.0
Fixed version : 4.6.1
Updated postgresql version from 4.6.0 to 4.6.1 in root pom.xml
Motivation and Context
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
Impact
Image scan report showed the vulnerability has been removed
correlation-report-ibm-lh-presto-postgres.csv
Test Plan
Contributor checklist
Release Notes