Christoph Berg pushed to branch upstream at Debian Java Maintainers /
libpostgresql-jdbc-java
Commits:
8c6b8af7 by Christoph Berg at 2026-06-30T11:17:33+02:00
New upstream version 42.7.12
- - - - -
4 changed files:
- pom.xml
- src/main/java/org/postgresql/core/v3/ScramAuthenticator.java
- src/main/java/org/postgresql/util/DriverInfo.java
- src/main/resources/META-INF/MANIFEST.MF
Changes:
=====================================
pom.xml
=====================================
@@ -8,7 +8,7 @@
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
- <version>42.7.11</version>
+ <version>42.7.12</version>
<packaging>jar</packaging>
<name>PostgreSQL JDBC Driver - JDBC 4.2</name>
<description>Java JDBC 4.2 (JRE 8+) driver for PostgreSQL
database</description>
=====================================
src/main/java/org/postgresql/core/v3/ScramAuthenticator.java
=====================================
@@ -62,6 +62,15 @@ final class ScramAuthenticator {
.stringPreparation(StringPreparation.POSTGRESQL_PREPARATION)
.build();
+ // channelBinding=require must never silently downgrade: regardless of
how negotiation
+ // resolved, the selected mechanism must actually use channel binding (a
-PLUS mechanism).
+ if (channelBinding == ChannelBinding.REQUIRE &&
!client.getScramMechanism().isPlus()) {
+ throw new PSQLException(
+ GT.tr("Channel Binding is required, but the negotiated SCRAM
mechanism \"{0}\" "
+ + "does not use channel binding.",
client.getScramMechanism().getName()),
+ PSQLState.CONNECTION_REJECTED);
+ }
+
LOGGER.log(Level.FINEST, () -> " Using SCRAM mechanism: "
+ client.getScramMechanism().getName());
return client;
@@ -111,7 +120,22 @@ final class ScramAuthenticator {
Certificate peerCert = certificates[0]; // First certificate is the
peer's certificate
if (peerCert instanceof X509Certificate) {
X509Certificate cert = (X509Certificate) peerCert;
- return TlsServerEndpoint.getChannelBindingData(cert);
+ byte[] cbindData = TlsServerEndpoint.getChannelBindingData(cert);
+ if (cbindData.length > 0) {
+ return cbindData;
+ }
+ // An empty result means no channel binding hash could be derived
from the
+ // certificate signature algorithm: for example Ed25519 has no
associated hash
+ // under RFC 5929 tls-server-end-point. Under REQUIRE this must
fail rather than
+ // silently downgrade to a non-PLUS mechanism.
+ if (channelBinding == ChannelBinding.REQUIRE) {
+ throw new PSQLException(
+ GT.tr("Channel Binding is required, but the server
certificate signature "
+ + "algorithm \"{0}\" does not support
tls-server-end-point channel "
+ + "binding (RFC 5929). Use a server certificate signed
with RSA or ECDSA.",
+ cert.getSigAlgName()),
+ PSQLState.CONNECTION_REJECTED);
+ }
}
}
} catch (CertificateEncodingException | SSLPeerUnverifiedException e) {
=====================================
src/main/java/org/postgresql/util/DriverInfo.java
=====================================
@@ -16,13 +16,13 @@ public final class DriverInfo {
// Driver name
public static final String DRIVER_NAME = "PostgreSQL JDBC Driver";
public static final String DRIVER_SHORT_NAME = "PgJDBC";
- public static final String DRIVER_VERSION = "42.7.11";
+ public static final String DRIVER_VERSION = "42.7.12";
public static final String DRIVER_FULL_NAME = DRIVER_NAME + " " +
DRIVER_VERSION;
// Driver version
public static final int MAJOR_VERSION = 42;
public static final int MINOR_VERSION = 7;
- public static final int PATCH_VERSION = 11;
+ public static final int PATCH_VERSION = 12;
// JDBC specification
public static final String JDBC_VERSION = "4.2";
=====================================
src/main/resources/META-INF/MANIFEST.MF
=====================================
@@ -1,7 +1,7 @@
Manifest-Version: 1.0
Bundle-License: BSD-2-Clause
Implementation-Title: PostgreSQL JDBC Driver
-Implementation-Version: 42.7.11
+Implementation-Version: 42.7.12
Specification-Vendor: Oracle Corporation
Specification-Version: 4.2
Specification-Title: JDBC
View it on GitLab:
https://salsa.debian.org/java-team/libpostgresql-jdbc-java/-/commit/8c6b8af74f775da02b589ee30921f8e2c97153d3
--
View it on GitLab:
https://salsa.debian.org/java-team/libpostgresql-jdbc-java/-/commit/8c6b8af74f775da02b589ee30921f8e2c97153d3
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
pkg-java-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits