Christoph Berg pushed to branch upstream at Debian Java Maintainers / 
libpostgresql-jdbc-java


Commits:
8c6b8af7 by Christoph Berg at 2026-06-30T11:17:33+02:00
New upstream version 42.7.12
- - - - -


4 changed files:

- pom.xml
- src/main/java/org/postgresql/core/v3/ScramAuthenticator.java
- src/main/java/org/postgresql/util/DriverInfo.java
- src/main/resources/META-INF/MANIFEST.MF


Changes:

=====================================
pom.xml
=====================================
@@ -8,7 +8,7 @@
 
     <groupId>org.postgresql</groupId>
     <artifactId>postgresql</artifactId>
-    <version>42.7.11</version>
+    <version>42.7.12</version>
     <packaging>jar</packaging>
     <name>PostgreSQL JDBC Driver - JDBC 4.2</name>
     <description>Java JDBC 4.2 (JRE 8+) driver for PostgreSQL 
database</description>


=====================================
src/main/java/org/postgresql/core/v3/ScramAuthenticator.java
=====================================
@@ -62,6 +62,15 @@ final class ScramAuthenticator {
           .stringPreparation(StringPreparation.POSTGRESQL_PREPARATION)
           .build();
 
+      // channelBinding=require must never silently downgrade: regardless of 
how negotiation
+      // resolved, the selected mechanism must actually use channel binding (a 
-PLUS mechanism).
+      if (channelBinding == ChannelBinding.REQUIRE && 
!client.getScramMechanism().isPlus()) {
+        throw new PSQLException(
+            GT.tr("Channel Binding is required, but the negotiated SCRAM 
mechanism \"{0}\" "
+                + "does not use channel binding.", 
client.getScramMechanism().getName()),
+            PSQLState.CONNECTION_REJECTED);
+      }
+
       LOGGER.log(Level.FINEST, () -> " Using SCRAM mechanism: "
           + client.getScramMechanism().getName());
       return client;
@@ -111,7 +120,22 @@ final class ScramAuthenticator {
           Certificate peerCert = certificates[0]; // First certificate is the 
peer's certificate
           if (peerCert instanceof X509Certificate) {
             X509Certificate cert = (X509Certificate) peerCert;
-            return TlsServerEndpoint.getChannelBindingData(cert);
+            byte[] cbindData = TlsServerEndpoint.getChannelBindingData(cert);
+            if (cbindData.length > 0) {
+              return cbindData;
+            }
+            // An empty result means no channel binding hash could be derived 
from the
+            // certificate signature algorithm: for example Ed25519 has no 
associated hash
+            // under RFC 5929 tls-server-end-point. Under REQUIRE this must 
fail rather than
+            // silently downgrade to a non-PLUS mechanism.
+            if (channelBinding == ChannelBinding.REQUIRE) {
+              throw new PSQLException(
+                  GT.tr("Channel Binding is required, but the server 
certificate signature "
+                      + "algorithm \"{0}\" does not support 
tls-server-end-point channel "
+                      + "binding (RFC 5929). Use a server certificate signed 
with RSA or ECDSA.",
+                      cert.getSigAlgName()),
+                  PSQLState.CONNECTION_REJECTED);
+            }
           }
         }
       } catch (CertificateEncodingException | SSLPeerUnverifiedException e) {


=====================================
src/main/java/org/postgresql/util/DriverInfo.java
=====================================
@@ -16,13 +16,13 @@ public final class DriverInfo {
   // Driver name
   public static final String DRIVER_NAME = "PostgreSQL JDBC Driver";
   public static final String DRIVER_SHORT_NAME = "PgJDBC";
-  public static final String DRIVER_VERSION = "42.7.11";
+  public static final String DRIVER_VERSION = "42.7.12";
   public static final String DRIVER_FULL_NAME = DRIVER_NAME + " " + 
DRIVER_VERSION;
 
   // Driver version
   public static final int MAJOR_VERSION = 42;
   public static final int MINOR_VERSION = 7;
-  public static final int PATCH_VERSION = 11;
+  public static final int PATCH_VERSION = 12;
 
   // JDBC specification
   public static final String JDBC_VERSION = "4.2";


=====================================
src/main/resources/META-INF/MANIFEST.MF
=====================================
@@ -1,7 +1,7 @@
 Manifest-Version: 1.0
 Bundle-License: BSD-2-Clause
 Implementation-Title: PostgreSQL JDBC Driver
-Implementation-Version: 42.7.11
+Implementation-Version: 42.7.12
 Specification-Vendor: Oracle Corporation
 Specification-Version: 4.2
 Specification-Title: JDBC



View it on GitLab: 
https://salsa.debian.org/java-team/libpostgresql-jdbc-java/-/commit/8c6b8af74f775da02b589ee30921f8e2c97153d3

-- 
View it on GitLab: 
https://salsa.debian.org/java-team/libpostgresql-jdbc-java/-/commit/8c6b8af74f775da02b589ee30921f8e2c97153d3
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
pkg-java-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits

Reply via email to