Source: golang-github-jackc-pgx Version: 4.18.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for golang-github-jackc-pgx. CVE-2024-27304[0]: | pgx is a PostgreSQL driver and toolkit for Go. SQL injection can | occur if an attacker can cause a single query or bind message to | exceed 4 GB in size. An integer overflow in the calculated message | size can cause the one large message to be sent as multiple messages | under the attacker's control. The problem is resolved in v4.18.2 and | v5.5.4. As a workaround, reject user input large enough to cause a | single query or bind message to exceed 4 GB in size. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27304 https://www.cve.org/CVERecord?id=CVE-2024-27304 [1] https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv [2] https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df Please adjust the affected versions in the BTS as needed. Regards, Salvatore