-
Component Upgrade
-
Resolution: Done
-
Major
-
None
-
False
-
-
False
-
---
-
-
Bumps [postgresql](https://github.com/pgjdbc/pgjdbc) from 42.4.1 to 42.4.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md">postgresql's changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<p>Notable changes since version 42.0.0, read the complete <a href="https://jdbc.postgresql.org/documentation/changelog.html">History of Changes</a>.</p>
<p>The format is based on <a href="http://keepachangelog.com/en/1.0.0/">Keep a Changelog</a>.</p>
<h2>[Unreleased]</h2>
<h3>Changed</h3>
<h3>Added</h3>
<h3>Fixed</h3>
<p>[42.4.2] (2022-08-17 10:33:40 -0400)</p>
<h3>Changed</h3>
<ul>
<li>fix: add alias to the generated getUDT() query for clarity (PR <a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2553">#2553</a>)https://github-redirect.dependabot.com/pgjdbc/pgjdbc/pull/2553</li>
</ul>
<h3>Added</h3>
<ul>
<li>fix: make setObject accept UUID array PR <a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2587">#2587</a>(<a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/pull/2587">pgjdbc/pgjdbc#2587</a>)</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>fix: regression with GSS. Changes introduced to support building with Java 17 caused failures Issue <a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2588">#2588</a>(<a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2588">pgjdbc/pgjdbc#2588</a>)</li>
<li>fix: set a timeout to get the return from requesting SSL upgrade. PR <a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2572">#2572</a>(<a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/pull/2572">pgjdbc/pgjdbc#2572</a>)</li>
<li>feat: synchronize statement executions (e.g. avoid deadlock when Connection.isValid is executed from concurrent threads)</li>
</ul>
<p>[42.4.1] (2022-08-01 16:24:20 -0400)</p>
<h3>Security</h3>
<ul>
<li>fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
<ul>
<li>Previously, the column names for both key and data columns in the table were copied as-is into the generated
SQL. This allowed a malicious table with column names that include statement terminator to be parsed and
executed as multiple separate commands.</li>
<li>Also adds a new test class ResultSetRefreshTest to verify this change.</li>
<li>Reported by <a href="https://github.com/kato-sho">Sho Kato</a></li>
</ul>
</li>
</ul>
<h3>Changed</h3>
<ul>
<li>chore: skip publishing pgjdbc-osgi-test to Central</li>
<li>chore: bump Gradle to 7.5</li>
<li>test: update JUnit to 5.8.2</li>
</ul>
<h3>Added</h3>
<ul>
<li>chore: added Gradle Wrapper Validation for verifying gradle-wrapper.jar</li>
<li>chore: added "permissions: contents: read" for GitHub Actions to avoid unintentional modifications by the CI</li>
<li>chore: support building pgjdbc with Java 17</li>
<li>feat: synchronize statement executions (e.g. avoid deadlock when Connection.isValid is executed from concurrent threads)</li>
</ul>
<h3>Fixed</h3>
<h2>[42.4.0] (2022-06-09 08:14:02 -0400)</h2>
<h3>Changed</h3>
<ul>
<li>fix: added GROUP_STARTUP_PARAMETERS boolean property to determine whether or not to group
startup parameters in a transaction (default=false like 42.2.x) fixes Issue <a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2425">#2425</a>(<a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2497">pgjdbc/pgjdbc#2497</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pgjdbc/pgjdbc/commit/389be0a6e61c42bf65bb2974f5f1664bf7d8db8c"><code>389be0a</code></a> Update changelog for release (<a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2596">#2596</a>)</li>
<li><a href="https://github.com/pgjdbc/pgjdbc/commit/364662eb340116a80f9f01781a50d0e2138e2ef1"><code>364662e</code></a> fix erroneous method signature and null subjectCallAs (<a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2595">#2595</a>)</li>
<li><a href="https://github.com/pgjdbc/pgjdbc/commit/04dc96a5dbdb6954e8c5319f6b1209eef46f7917"><code>04dc96a</code></a> update last copyright year (<a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2593">#2593</a>)</li>
<li><a href="https://github.com/pgjdbc/pgjdbc/commit/f76ca463df5775bf671bbdee3656fb0dec26018a"><code>f76ca46</code></a> fix checkstyle</li>
<li><a href="https://github.com/pgjdbc/pgjdbc/commit/a45b4d8bda433cc0f8f6016b62b5b414a19dcf58"><code>a45b4d8</code></a> get rid of javadoc warnings</li>
<li><a href="https://github.com/pgjdbc/pgjdbc/commit/abf3bcb73c02bc714920ba64f5a6c433218f7151"><code>abf3bcb</code></a> fix mismatched types for invokeExact. Have to tell invokeExact what type we a...</li>
<li><a href="https://github.com/pgjdbc/pgjdbc/commit/96f256107e12de71992b932782f9f00b19aabbb2"><code>96f2561</code></a> fix: make setObject accept UUID array (<a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2587">#2587</a>)</li>
<li><a href="https://github.com/pgjdbc/pgjdbc/commit/0b097fd4a8e9990a9b86173d58633cd88d263b0b"><code>0b097fd</code></a> bumped minor version for next release</li>
<li><a href="https://github.com/pgjdbc/pgjdbc/commit/7363fffbb8d86b636a7208594bc643a483974947"><code>7363fff</code></a> Revert revert commits made in PR 2580 (<a href="https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2583">#2583</a>)</li>
<li>See full diff in <a href="https://github.com/pgjdbc/pgjdbc/compare/REL42.4.1...REL42.4.2">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
You can trigger a rebase of this PR by commenting `@dependabot rebase`.
//: # (dependabot-automerge-start)
//: # (dependabot-automerge-end)
—
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>