bvolpato opened a new pull request, #37941: URL: https://github.com/apache/beam/pull/37941
## Summary Bumps the PostgreSQL JDBC Driver from `42.2.16` to `42.7.10` to address multiple security vulnerabilities. **CVE Details:** | CVE | CVSS | Description | |-----|------|-------------| | [CVE-2024-1597](https://www.cve.org/CVERecord?id=CVE-2024-1597) | **9.8 Critical** | SQL injection via `preferQueryMode=simple` in combination with application code that has a vulnerable SQL query. | | [CVE-2022-31197](https://www.cve.org/CVERecord?id=CVE-2022-31197) | **7.1 High** | SQL injection in `ResultSet.refreshRow()` with column names containing a statement terminator. | | [CVE-2022-21724](https://www.cve.org/CVERecord?id=CVE-2022-21724) | **9.8 Critical** | pgjdbc instantiates plugin instances based on class names provided via connection properties without verifying the class implements the expected interface, which can lead to code execution through arbitrary classes. | **References:** - https://jdbc.postgresql.org/security/ - https://www.postgresql.org/about/news/postgresql-jdbc-4272-4261-4255-4244-4239-42228-and-42228jre7-security-update-for-cve-2024-1597-2812/ ## Changes - Bumps `postgres_version` in `BeamModulePlugin.groovy` from `42.2.16` to `42.7.10` - Adds Security Fixes entry in `CHANGES.md` for the 2.73.0 release ## Testing The PostgreSQL JDBC Driver maintains JDBC 4.2 API backward compatibility across 42.x releases. The changes between 42.2.16 and 42.7.10 are primarily internal security and bug fixes — no public API changes. The existing test suites that exercise this dependency serve as sufficient regression coverage: - `:sdks:java:io:jdbc:test` — JdbcIO unit and integration tests via testcontainers with PostgreSQL - `:sdks:java:io:common:test` — Common IO utilities - `:sdks:java:io:hadoop-format:test` — HadoopFormatIO with PostgreSQL backend No new tests are needed as the JDBC API surface is unchanged. ------------------------ Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily: - [x] Mention the appropriate issue in your description (for example: `addresses #123`), if applicable. - [x] Update `CHANGES.md` with noteworthy changes. - [ ] If this contribution is large, please file an Apache [Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf). See the [Contributor Guide](https://beam.apache.org/contribute) for more tips on [how to make review process smoother](https://github.com/apache/beam/blob/master/CONTRIBUTING.md#make-the-reviewers-job-easier). GitHub Actions Tests Status (on master branch) ------------------------------------------------------------------------------------------------ [](https://github.com/apache/beam/actions?query=workflow%3A%22Build+python+source+distribution+and+wheels%22+branch%3Amaster+event%3Aschedule) [](https://github.com/apache/beam/actions?query=workflow%3A%22Python+Tests%22+branch%3Amaster+event%3Aschedule) [](https://github.com/apache/beam/actions?query=workflow%3A%22Java+Tests%22+branch%3Amaster+event%3Aschedule) [](https://github.com/apache/beam/actions?query=workflow%3A%22Go+tests%22+branch%3Amaster+event%3Aschedule) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
