|
Message-ID: <CA+TgmoaBc8x=ppVB_DhvASPyor5KN6JoXw0qNgFfDubtbM0zWw@mail.gmail.com> Date: Fri, 30 Mar 2012 11:27:29 -0400 From: Robert Haas <robertmhaas@...il.com> To: Ludwig Nussel <ludwig.nussel@...e.de> Cc: oss-security@...ts.openwall.com, security@...tgresql.org Subject: Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 On Fri, Mar 30, 2012 at 8:51 AM, Ludwig Nussel <ludwig.nussel@...e.de> wrote: > Postgresql 9.1 turned "standard conforming strings" on by default[1][2]. > postgresql-jdbc before version 8.2-504 however did not know about that > kind of string and escaped single quotes with a backslash always. When > such an old version of postgresql-jdbc is used with a newer postgresql > server it not only breaks when strings contain single quotes, it also > allows for SQL injections[3]. > The bug is neither in postgresql-jdbc as it was working correctly at the > time it was released, nor is it really postgresql 9.1's fault which I > guess doesn't expect and can't detect such an old jdbc adapter. The > security issue arises when mixing the old adapter and the new server. Right. This issue has been previously reported to pgsql-security. The position of the pgsql-jdbc project is that a client version should be used with a matching server version; therefore, the project views the proposed combination as an unsupported configuration. Moreover, PostgreSQL 8.2.x and postgresql-jdbc-8.2-x were desupported in general as of December 2011. The end of life dates for each major release are documented on our web site[1], and the pgsql-jdbc download site[2] clearly identifies this version of the driver as an "archived version" rather than a "supported version". As a rule, bug fix and security updates are not released for versions which are no longer supported; users are advised to update to a supported version. Users of pgsql-jdbc are further advised to use a major version that matches the PostgreSQL server to which they are connecting. [1] http://www.postgresql.org/support/versioning/ [2] http://jdbc.postgresql.org/download.html -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.