Bug#962828: libpgjava: CVE-2020-13692
Christoph Berg
myon at debian.org
Sun Jun 14 21:28:22 BST 2020
Re: Salvatore Bonaccorso
> CVE-2020-13692[0]:
> | PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
Hi,
upstream switched the buildsystem in the .13 release, so uploading
isn't as easy as I had hoped. Details are in
https://github.com/pgjdbc/pgjdbc/issues/1440
(Seen the end of the thread, the beginning is about Fedora.)
> Please adjust the affected versions in the BTS as needed.
More info from Dave Cramer:
> > which older versions are affected by this, and what is the impact?
> >
>
> I would probably only worry about 42.2.x versions
> impact summary
> https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
>
>
> > In Debian, we currently ship:
> >
> > libpgjava | 9.2-1002-1 | oldoldstable | source (ignore, it's EOL
> > really soon)
> > libpgjava | 9.4.1212-1 | oldstable | source
> > libpgjava | 42.2.5-2 | stable | source
> > libpgjava | 42.2.12-1 | testing | source
> > libpgjava | 42.2.12-1 | unstable | source
> >
> > Can you share the actual CVE diff, so we can fix it in the older
> > versions?
>
> Here is the diff
> https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65
(I haven't checked yet if that diff applies to the buster package.)
Christoph
More information about the pkg-java-maintainers
mailing list