Christoph Berg pushed to branch master at Debian Java Maintainers / 
libpostgresql-jdbc-java


Commits:
8c6b8af7 by Christoph Berg at 2026-06-30T11:17:33+02:00
New upstream version 42.7.12
- - - - -
3fae30e5 by Christoph Berg at 2026-06-30T11:17:36+02:00
Update upstream source from tag 'upstream/42.7.12'

Update to upstream version '42.7.12'
with Debian dir f8467ebe7e01a435dd511e33b6832b19da1fef23
- - - - -
51d5cc78 by Christoph Berg at 2026-06-30T09:20:36+00:00
New upstream version 42.7.12.

- - - - -


5 changed files:

- debian/changelog
- pom.xml
- src/main/java/org/postgresql/core/v3/ScramAuthenticator.java
- src/main/java/org/postgresql/util/DriverInfo.java
- src/main/resources/META-INF/MANIFEST.MF


Changes:

=====================================
debian/changelog
=====================================
@@ -1,8 +1,9 @@
-libpgjava (42.7.11-2) UNRELEASED; urgency=medium
+libpgjava (42.7.12-1) unstable; urgency=medium
 
+  * New upstream version 42.7.12.
   * Switch to Static-Built-Using.
 
- -- Christoph Berg <[email protected]>  Sat, 13 Jun 2026 18:56:34 +0200
+ -- Christoph Berg <[email protected]>  Tue, 30 Jun 2026 11:17:37 +0200
 
 libpgjava (42.7.11-1) unstable; urgency=medium
 


=====================================
pom.xml
=====================================
@@ -8,7 +8,7 @@
 
     <groupId>org.postgresql</groupId>
     <artifactId>postgresql</artifactId>
-    <version>42.7.11</version>
+    <version>42.7.12</version>
     <packaging>jar</packaging>
     <name>PostgreSQL JDBC Driver - JDBC 4.2</name>
     <description>Java JDBC 4.2 (JRE 8+) driver for PostgreSQL 
database</description>


=====================================
src/main/java/org/postgresql/core/v3/ScramAuthenticator.java
=====================================
@@ -62,6 +62,15 @@ final class ScramAuthenticator {
           .stringPreparation(StringPreparation.POSTGRESQL_PREPARATION)
           .build();
 
+      // channelBinding=require must never silently downgrade: regardless of 
how negotiation
+      // resolved, the selected mechanism must actually use channel binding (a 
-PLUS mechanism).
+      if (channelBinding == ChannelBinding.REQUIRE && 
!client.getScramMechanism().isPlus()) {
+        throw new PSQLException(
+            GT.tr("Channel Binding is required, but the negotiated SCRAM 
mechanism \"{0}\" "
+                + "does not use channel binding.", 
client.getScramMechanism().getName()),
+            PSQLState.CONNECTION_REJECTED);
+      }
+
       LOGGER.log(Level.FINEST, () -> " Using SCRAM mechanism: "
           + client.getScramMechanism().getName());
       return client;
@@ -111,7 +120,22 @@ final class ScramAuthenticator {
           Certificate peerCert = certificates[0]; // First certificate is the 
peer's certificate
           if (peerCert instanceof X509Certificate) {
             X509Certificate cert = (X509Certificate) peerCert;
-            return TlsServerEndpoint.getChannelBindingData(cert);
+            byte[] cbindData = TlsServerEndpoint.getChannelBindingData(cert);
+            if (cbindData.length > 0) {
+              return cbindData;
+            }
+            // An empty result means no channel binding hash could be derived 
from the
+            // certificate signature algorithm: for example Ed25519 has no 
associated hash
+            // under RFC 5929 tls-server-end-point. Under REQUIRE this must 
fail rather than
+            // silently downgrade to a non-PLUS mechanism.
+            if (channelBinding == ChannelBinding.REQUIRE) {
+              throw new PSQLException(
+                  GT.tr("Channel Binding is required, but the server 
certificate signature "
+                      + "algorithm \"{0}\" does not support 
tls-server-end-point channel "
+                      + "binding (RFC 5929). Use a server certificate signed 
with RSA or ECDSA.",
+                      cert.getSigAlgName()),
+                  PSQLState.CONNECTION_REJECTED);
+            }
           }
         }
       } catch (CertificateEncodingException | SSLPeerUnverifiedException e) {


=====================================
src/main/java/org/postgresql/util/DriverInfo.java
=====================================
@@ -16,13 +16,13 @@ public final class DriverInfo {
   // Driver name
   public static final String DRIVER_NAME = "PostgreSQL JDBC Driver";
   public static final String DRIVER_SHORT_NAME = "PgJDBC";
-  public static final String DRIVER_VERSION = "42.7.11";
+  public static final String DRIVER_VERSION = "42.7.12";
   public static final String DRIVER_FULL_NAME = DRIVER_NAME + " " + 
DRIVER_VERSION;
 
   // Driver version
   public static final int MAJOR_VERSION = 42;
   public static final int MINOR_VERSION = 7;
-  public static final int PATCH_VERSION = 11;
+  public static final int PATCH_VERSION = 12;
 
   // JDBC specification
   public static final String JDBC_VERSION = "4.2";


=====================================
src/main/resources/META-INF/MANIFEST.MF
=====================================
@@ -1,7 +1,7 @@
 Manifest-Version: 1.0
 Bundle-License: BSD-2-Clause
 Implementation-Title: PostgreSQL JDBC Driver
-Implementation-Version: 42.7.11
+Implementation-Version: 42.7.12
 Specification-Vendor: Oracle Corporation
 Specification-Version: 4.2
 Specification-Title: JDBC



View it on GitLab: 
https://salsa.debian.org/java-team/libpostgresql-jdbc-java/-/compare/162a5db56005788646427995670b2a7f3e072b7b...51d5cc78837b46a437e87abd5843a1fb78244e4c

-- 
View it on GitLab: 
https://salsa.debian.org/java-team/libpostgresql-jdbc-java/-/compare/162a5db56005788646427995670b2a7f3e072b7b...51d5cc78837b46a437e87abd5843a1fb78244e4c
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
pkg-java-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits

Reply via email to