Skip to content

Commit 045896c

Browse files
dependabot[bot]dependabot[bot]
authored
Bump org.postgresql:postgresql from 42.7.6 to 42.7.7 (#126)
Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 42.7.6 to 42.7.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pgjdbc/pgjdbc/releases">org.postgresql:postgresql's releases</a>.</em></p> <blockquote> <h2>v42.7.7</h2> <h2>Changes</h2> <h3>Security</h3> <ul> <li>security: <strong>Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.</strong> Fix <code>channel binding required</code> handling to reject non-SASL authentication Previously, when channel binding was set to &quot;require&quot;, the driver would silently ignore this requirement for non-SASL authentication methods. This could lead to a false sense of security when channel binding was explicitly requested but not actually enforced. The fix ensures that when channel binding is set to &quot;require&quot;, the driver will reject connections that use non-SASL authentication methods or when SASL authentication has not completed properly. See the <a href="https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54">Security Advisory</a> for more detail. Reported by <a href="https://github.com/jawj">George MacKerron</a> The following <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-49146">CVE-2025-49146</a> has been issued</li> </ul> <h3>Added</h3> <ul> <li>test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li>fix: ensure Connection.isValid() returns true even if prepared statements deallocate <a href="https://github.com/vlsi"><code>@​vlsi</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3655">#3655</a>)</li> </ul> <h2>🧰 Maintenance</h2> <ul> <li>chore: bump slf4j and logback versions used for pgjdbc-osgi-test <a href="https://github.com/vlsi"><code>@​vlsi</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3653">#3653</a>)</li> <li>chore: fix the default branch name for dependency-submission action <a href="https://github.com/vlsi"><code>@​vlsi</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3650">#3650</a>)</li> <li>chore: add gradle/actions/dependency-submission so GitHub shows all dependencies used when building pgjdbc <a href="https://github.com/vlsi"><code>@​vlsi</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3646">#3646</a>)</li> </ul> <h2>⬆️ Dependencies</h2> <!-- raw HTML omitted --> <ul> <li>chore: bump slf4j and logback versions used for pgjdbc-osgi-test <a href="https://github.com/vlsi"><code>@​vlsi</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3653">#3653</a>)</li> <li>chore(deps): update oracle-actions/setup-java action to v1.4.2 <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3643">#3643</a>)</li> <li>fix(deps): update dependency checkstyle to v10.25.0 <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3644">#3644</a>)</li> <li>chore: add gradle/actions/dependency-submission so GitHub shows all dependencies used when building pgjdbc <a href="https://github.com/vlsi"><code>@​vlsi</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3646">#3646</a>)</li> <li>fix(deps): update dependency org.codehaus.groovy:groovy-all to v3.0.25 <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3648">#3648</a>)</li> <li>fix(deps): update dependency org.openrewrite.rewrite:org.openrewrite.rewrite.gradle.plugin to v7.7.0 <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3649">#3649</a>)</li> <li>chore(deps): update plugin com.gradle.develocity to v4.0.2 <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3647">#3647</a>)</li> <li>chore(deps): update codecov/codecov-action digest to 15559ed <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3636">#3636</a>)</li> <li>chore(deps): update dependency gradle to v8.14.1 <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3637">#3637</a>)</li> <li>chore(deps): update plugin org.jetbrains.kotlin.jvm to v2.1.21 - autoclosed <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3638">#3638</a>)</li> <li>chore(deps): update dependency sbt/sbt to v1.11.0 <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3640">#3640</a>)</li> <li>fix(deps): update dependency com.github.spotbugs:com.github.spotbugs.gradle.plugin to v6.1.13 <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> (<a href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3639">#3639</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md">org.postgresql:postgresql's changelog</a>.</em></p> <blockquote> <h2>[42.7.7] (2025-06-10)</h2> <h3>Security</h3> <ul> <li>security: <strong>Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.</strong> Fix <code>channel binding required</code> handling to reject non-SASL authentication Previously, when channel binding was set to &quot;require&quot;, the driver would silently ignore this requirement for non-SASL authentication methods. This could lead to a false sense of security when channel binding was explicitly requested but not actually enforced. The fix ensures that when channel binding is set to &quot;require&quot;, the driver will reject connections that use non-SASL authentication methods or when SASL authentication has not completed properly. See the <a href="https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54">Security Advisory</a> for more detail. Reported by <a href="https://github.com/jawj">George MacKerron</a> The following <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-49146">CVE-2025-49146</a> has been issued</li> </ul> <h3>Added</h3> <ul> <li>test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0"><code>9217ed1</code></a> Merge commit from fork</li> <li><a href="https://github.com/pgjdbc/pgjdbc/commit/cb10dce086845b300f67125a7f33d59cc824c3d8"><code>cb10dce</code></a> fix: ensure Connection.isValid() returns true even if prepared statements dea...</li> <li><a href="https://github.com/pgjdbc/pgjdbc/commit/10e3546750888767191df90f188651306b3bafa7"><code>10e3546</code></a> chore: bump slf4j and logback versions used for pgjdbc-osgi-test</li> <li><a href="https://github.com/pgjdbc/pgjdbc/commit/6c5ea88fc59f003cc0afc7bee046e8ddb0c9666c"><code>6c5ea88</code></a> chore: fix the default branch name for dependency-submission action</li> <li><a href="https://github.com/pgjdbc/pgjdbc/commit/5616d5f83e07128c0efdc414d8e84c15be0d9512"><code>5616d5f</code></a> chore(deps): update oracle-actions/setup-java action to v1.4.2</li> <li><a href="https://github.com/pgjdbc/pgjdbc/commit/0d43f0ac91545272fe16375ec54ffac7768e76fd"><code>0d43f0a</code></a> fix(deps): update dependency checkstyle to v10.25.0</li> <li><a href="https://github.com/pgjdbc/pgjdbc/commit/d0a88904d84bc5dbfe655f5dbd89339081cb6cf8"><code>d0a8890</code></a> chore: add gradle/actions/dependency-submission so GitHub shows all dependenc...</li> <li><a href="https://github.com/pgjdbc/pgjdbc/commit/7105c75b550cc9c03e99cfe2b2485a1b30cb0e88"><code>7105c75</code></a> fix(deps): update dependency org.codehaus.groovy:groovy-all to v3.0.25</li> <li><a href="https://github.com/pgjdbc/pgjdbc/commit/d9a6fc63bdde2b020f6edd93296918956ae32328"><code>d9a6fc6</code></a> fix(deps): update dependency org.openrewrite.rewrite:org.openrewrite.rewrite....</li> <li><a href="https://github.com/pgjdbc/pgjdbc/commit/19dff836d9982f8ac3c1ab9f9187416aa247034b"><code>19dff83</code></a> chore(deps): update plugin com.gradle.develocity to v4.0.2</li> <li>Additional commits viewable in <a href="https://github.com/pgjdbc/pgjdbc/compare/REL42.7.6...REL42.7.7">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.postgresql:postgresql&package-manager=gradle&previous-version=42.7.6&new-version=42.7.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1 parent 54cc052 commit 045896c

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

gradle/libs.versions.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ sqldelight = "2.1.0"
88
[libraries]
99
assertj-core = { module = "org.assertj:assertj-core", version = "3.27.3" }
1010
intellij-analysis = { module = "com.jetbrains.intellij.platform:analysis-impl", version.ref = "idea" }
11-
postgres-jdbc-driver = { module = "org.postgresql:postgresql", version = "42.7.6" }
11+
postgres-jdbc-driver = { module = "org.postgresql:postgresql", version = "42.7.7" }
1212
slf4j-simple = { module = "org.slf4j:slf4j-simple", version = "2.0.17" }
1313
sql-psi = { module = "app.cash.sql-psi:core", version.ref = "sql-psi" }
1414
sqldelight-compiler-env = { module = "app.cash.sqldelight:compiler-env", version.ref = "sqldelight" }

0 commit comments

Comments
 (0)