This is an automated email from the ASF dual-hosted git repository. srowen pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push: new 9150012697a [SPARK-39996][BUILD] Upgrade `postgresql` to 42.5.0 9150012697a is described below commit 9150012697a5421ff8ab60304b744dfb5ae03eee Author: Bjørn <bjornjorgen...@gmail.com> AuthorDate: Sun Sep 4 08:25:16 2022 -0500 [SPARK-39996][BUILD] Upgrade `postgresql` to 42.5.0 ### What changes were proposed in this pull request? Upgrade `postgresql` 42.3.3 to 42.5.0 ### Why are the changes needed? fix: [CVE-2022-31197](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31197) Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection. Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands. Also adds a new test class ResultSetRefreshTest to verify this change. Reported by [Sho Kato](https://github.com/kato-sho) [Changelog](https://jdbc.postgresql.org/documentation/changelog.html#version_42.5.0) ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass GA Closes #37762 from bjornjorgensen/ugrade-postgressql-42.5.0. Authored-by: Bjørn <bjornjorgen...@gmail.com> Signed-off-by: Sean Owen <sro...@gmail.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 9d4aa0232a5..1fc694ba43f 100644 --- a/pom.xml +++ b/pom.xml @@ -1226,7 +1226,7 @@ <dependency> <groupId>org.postgresql</groupId> <artifactId>postgresql</artifactId> - <version>42.3.3</version> + <version>42.5.0</version> <scope>test</scope> </dependency> <dependency> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org