Source: golang-github-jackc-pgx Version: 4.18.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for golang-github-jackc-pgx. CVE-2024-27289[0]: | pgx is a PostgreSQL driver and toolkit for Go. Prior to version | 4.18.2, SQL injection can occur when all of the following conditions | are met: the non-default simple protocol is used; a placeholder for | a numeric value must be immediately preceded by a minus; there must | be a second placeholder for a string value after the first | placeholder; both must be on the same line; and both parameter | values must be user-controlled. The problem is resolved in v4.18.2. | As a workaround, do not use the simple protocol or do not place a | minus directly before a placeholder. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27289 https://www.cve.org/CVERecord?id=CVE-2024-27289 [1] https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p [2] https://github.com/jackc/pgx/commit/826a89229b8b1cdf18e4190afa437d3df9901b9c Please adjust the affected versions in the BTS as needed. Regards, Salvatore