Bug#962828: libpgjava: CVE-2020-13692

Michael Banck michael.banck at credativ.de
Fri Jun 19 11:08:36 BST 2020 

tags 962828 +patch
thanks

Hi,

Am Sonntag, den 14.06.2020, 22:28 +0200 schrieb Christoph Berg:
> Re: Salvatore Bonaccorso
> > CVE-2020-13692[0]:
> > > PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
> 
> > > which older versions are affected by this, and what is the impact?
> > > 
> > 
> > I would probably only worry about 42.2.x versions
> > impact summary
> > https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
> > 
> > 
> > > In Debian, we currently ship:
> > > 
> > > libpgjava  | 9.2-1002-1    | oldoldstable | source (ignore, it's EOL
> > > really soon)
> > > libpgjava  | 9.4.1212-1    | oldstable    | source
> > > libpgjava  | 42.2.5-2      | stable       | source
> > > libpgjava  | 42.2.12-1     | testing      | source
> > > libpgjava  | 42.2.12-1     | unstable     | source
> > > 
> > > Can you share the actual CVE diff, so we can fix it in the older
> > > versions?
> > 
> > Here is the diff
> > https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65
> 
> (I haven't checked yet if that diff applies to the buster package.)

I've backpatched that commit to the stable version (several edits were
required but the general code structure is similar) and verified that it
builds and that autopkgtest runs fine.

I haven't tested it otherwise yet, nor tried to reproduce the CVE, I
guess no exploits are available?


Michael

-- 
Michael Banck
Projektleiter / Senior Berater
Tel.: +49 2166 9901-171
Fax:  +49 2166 9901-100
Email: michael.banck at credativ.de

credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer

Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libpgjava_42.2.5-3.debdiff
Type: text/x-patch
Size: 26121 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20200619/f510334b/attachment-0001.bin>

More information about the pkg-java-maintainers mailing list